[German]Microsoft has released out-of-band security updates for the PrintNightmare vulnerability (CVE-2021-1675) in the Windows Print Spooler service. But these updates seem to end in chaos – it reminds me on the Printer-Gate in March 2021, where Microsoft had to release a series of update fixes to close a printer vulnerability but still allow printing. I’ll summarize a few points outside of Microsoft’s documentation in this blog post. These range from the fact that the updates don’t close the vulnerabilities, to installation issues and problems with Zebra label printers subsequently refusing to print.
Updates for vulnerability CVE-2021-1675
In all versions of Windows a Remote Code Execution (RCE) vulnerability CVE-2021-1675 exists in the Windows Print Spooler service. This allows attackers to execute arbitrary code with SYSTEM privileges. After a proof of concept (PoC) became public, there were already first attacks against the vulnerability. I had reported early on about the vulnerability in the blog post PoC for Windows print spooler vulnerability public, high RCE risk. Then, as of July 6 and 7, 2021, Microsoft also released unscheduled updates for supported versions of Windows (see links at the end of the article).
Updates don’t close all vulnerabilities
Part 1 of the drama lies in the fact that Microsoft has not managed to cleanly close the vulnerabilities in the Windows Print Spooler service. As of June 8, 2021, Microsoft had indeed closed a Local Privilege Escalation vulnerability in this service via the Windows security updates. At the beginning of July 2021, however, I had already pointed out in the blog post PoC for Windows print spooler vulnerability public, high RCE risk that although the June 2021 patch eliminated a vulnerability, remote attacks on the Windows Print Spooler service via the CVE-2021-1675 vulnerability were still possible. Microsoft hadn’t fixed all vulnerabilities.
Now Microsoft has released special updates for this vulnerability CVE-2021-1675. But a few days ago, other newly discovered vulnerabilities in the Windows Print Spooler service became known. And the out-of-band updates do not close these vulnerabilities, allowing attackers to exploit the changes made by the updates. German blog reader Carsten already pointed out the above tweet in a comment.
While the security updates released by Microsoft close a vulnerability, they can be easily bypassed. Mimikatz developer Benjamin Delpy writes in this tweet, that the Local Privilege Escalation vulnerability (LPE) and the Remote Privilege Escalation vulnerability (RCE) can still be exploited.
Delpy posted a flowchart of by-passing options in this tweet. Microsoft’s patches are working, but not really. Attacks on remote targets with \ \ in the URL are now prevented by a check, to be sure. However, if the attacker uses patterns like \ ?? \ in the UNC paths, attacks are still possible.
Addendum: Microsoft has released a statement, claiming, that things raised the above are just a wrong configuration (see Microsoft on PrintNightmare vulnerability CVE-2021-34527: Windows is secure after patch).
The updates cause problems
Actually, everything urges to install the unscheduled updates urgently. In the meantime, however, I have received initial feedback about problems, which I will briefly summarize.
WSUS detection and installation problems
In this German comment within my blog, a reader reported, that he has problems with detection in WSUS. Here’s an excerpt:
WSUS seems to have a detection bug again!
20H2 clients that already have KB5003690 (19042.1081) installed,
are not detected as “needed” target. Via MS the patch is found and installed.
I assume 20H2 clients with KB5004760 (19042.1082) are also affected.
I had pointed out the problem of the Servicing Stack Updates (SSU) integrated in the cumulative update (LCU) in the blog post Windows 10, the WSUS and the SSU+LCU detection chaos. There are more voices on this topic in the linked comment thread – without the required SSU from May 2021, cumulative updates from June 2021 in WSUS probably can’t be installed in Windows 10 version 2004 and higher. A solution for those affected can be found in this comment here on the blog.
If the update Windows 10 2004-21H2 drops install error 0x80242017, this stands for WU_E_UH_NEW_SERVICING_STACK_REQUIRED, so the Mai 2021 SSU is missing. See this German comment with the proposal, to download windows10.0-kb5004760-x86.msu, then extract SSU-19041.1081-x86.cab and try the command: Dism.exe /online /add-package:c:\2\SSU-19041.1081-x86.cab to install the update. In case of a x64 system use the appropriate packages.
Zebra label printers can’t print
Already directly after the release of the first out-of-band updates, German blog reader Sebastian got in touch in this comment and writes:
it looks like the update has “killed” the ticket printers for us – Windows 10 Pro x64 20H2
Intermec EasyCoder F4 and PF4i … are just clarifying what is going on.
Otherwise everything is ok so far (Canon, HP, Epson).
They wasn’t able to use the label / ticket printer after installing the update. At German site heise I found a forum thread, where users confirming striking Zebra label printers (D420, Zebra 2844, Intermec PF4i and PM43). It looks like only uninstalling the update in question can fix this problem.
Addendum: Microsoft addressed the Zebra label printer issue, see Windows 10: Microsoft fixes Zebr & Dymo printer issues caused by update (e.g. KB5004945) via KIR.
BlueScreens when printing?
On Facebook, I have received feedback from a IT specialist, telling me, that he has already had two customers with BlueScreens when printing through update KB5004945, as in March 2021. Details are not yet available – perhaps there the attention on it and give feedback here as a comment if necessary, if it occurs with you. Addendum: Got now a ton of feedback within the German blog, where users observed bluescreens with different printers.
Non English KB articles are wrong
My advice to administrators is, to use the English kb articles about all PrintNightmare issues and updates. We have the situation, that the German kb article about “Point and Print” is simply wrong and gives advices, that deactivated the feature. In this German comment, Stefan A. points out that Microsoft’s German documentation on “Point and Print” is wrong. Hanspeter Holzer explicitly points this out again in the following tweet.
Use the support article KB5005010: Restricting installation of new printer drivers after applying the July 6, 2021 updates, to set the relevant policy entries.
Attention with 0patch usage
Here in the blog I had discussed the micropatches from 0patch to close the vulnerability (see following link list). This solution was available before the Microsoft updates and probably does not have their consequences. So if you rely on 0patch, you should heed the following tweet (thanks to Carsten).
Patchday: Windows 10-Updates (June 8, 2021)
PoC for Windows print spooler vulnerability public, high RCE risk
Windows Print Spooler Vulnerability (CVE-2021-1675, PrintNightmare) Confirmed by MS; CISA Warns
0Patch Micropatches for PrintNightmare Vulnerability (CVE-2021-34527)
Out-of-Band Update closes Windows PrintNightmare Vulnerability (July 6, 2021)
PrintNightmare out-of-band update also for Windows Server 2012 and 2016 (July 7, 2021)
The Chaos PrintNightmare Emergency Update (July 6/7, 2021)
Windows 10: Microsoft fixes Zebr & Dymo printer issues caused by update (e.g. KB5004945) via KIR
Microsoft on PrintNightmare vulnerability CVE-2021-34527: Windows is secure after patch
Cookies helps to fund this blog: Cookie settings