[German]Regarding the problem, originally called PrintNightmare, that Windows systems are vulnerable via the print spooler service, there is a new warning. A remote print server that can be accessed by unauthorized parties allows arbitrary malicious files to be installed on clients via point-and-print. The US-CERT has issued a new warning about this. However, there is a possibility to mitigate this vulnerability via group policies.
Advertising
I had some articles about the PrintNightmare vulnerability here in the blog, see link list at the end of the article. Microsoft has released updates to close the vulnerabilities – but security researchers have discovered new attack capabilities that bypass the patches within hours. Until now, I always thought that an attacker would have to provide at least a signed printer driver to exploit the PrintNightmare vulnerability. Now it crystallizes that arbitrary files can be submitted to clients as a by-product of a signed WHQL driver.
New attack vector print server
I had pointed out in the post Windows vulnerability PrintNightmare: It's not over yet (July 15, 2021) that Benjamin Delpy has meanwhile published several variants of the attack possibilities on the printer interface, but I did not pay further attention to it. I only became aware of the issue again via the post by the colleagues at Bleeping Computer.
In the above tweet, mimikatz developer Benjamin Delpy points out a new attack vector via another vulnerability in the Windows Print Spooler service. Through it, third parties could use a remote server to gain administrative privileges on a Windows machine via the Queue-Specific Files feature.
Delpy has created a publicly available remote print server (see this tweet),that can be used to test the vulnerability demonstrated above. When a Windows client prints through the print server, a missing printer driver is installed via point-and-print. Although a signed printer driver is required for installation. However, Delpy mentioned a special Installing Queue-Specific Files point-and-print feature to Bleeping Computer.
Advertising
During printer installation, a vendor-supplied installer application can specify a set of files of any type to be associated with a specific print queue. The files are downloaded to any client that connects to the print server. If a malicious DLL is distributed there as well, an attacker could then use it to gain SYSTEM privileges on the Windows client. Will Dormann has meanwhile published this US-CERT warning with some explanations of the situation.
Suggested mitigations
In the US-CERT warning Will Dormann shows two approaches to make it more difficult for attackers to exploit this vulnerability.
Block SMB traffic at the network boundary
Since attackers use SMB to connect to a malicious shared printer for their exploits, the vulnerability is very easy to mitigate. It is simply a matter of blocking outbound SMB access at the boundary of one's network. Then the remote print server can no longer be reached, even if an attacker might try to access the printer locally. Note, however, that printers can be shared via the [MS-WPRN] Web Point-and-Print protocol. This allows the installation of arbitrary printer drivers without relying on SMB traffic. Also, an attacker local to the network could share a printer via SMB that would not be affected by outbound SMB traffic rules.
Configuring the PackagePointAndPrintServerList
In Microsoft Windows, there is a group policy called "Package Point and Print – Approved servers" that has entries in the registry values:
HKLM\Software\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint\PackagePointAndPrintServerList
and
HKLM\Software\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint\ListofServers
This policy allows an administrator to restrict which servers can be used by non-administrative users to install printers through Point and Print. The recommendation is to configure this policy to prevent the installation of printers through any server.
Similar articles:
Patchday: Windows 10 Updates (June 8, 2021)
PoC for Windows print spooler vulnerability public, high RCE risk
Windows Print Spooler Vulnerability (CVE-2021-1675, PrintNightmare) Confirmed by MS; CISA Warns
0Patch Micropatches for PrintNightmare Vulnerability (CVE-2021-34527)
Out-of-Band Update closes Windows PrintNightmare Vulnerability (July 6, 2021)
PrintNightmare out-of-band update also for Windows Server 2012 and 2016 (July 7, 2021)
The Chaos PrintNightmare Emergency Update (July 6/7, 2021)
Windows 10: Microsoft fixes Zebra & Dymo printer issues caused by update (e.g. KB5004945) via KIR
Microsoft on PrintNightmare vulnerability CVE-2021-34527: Windows is secure after patch
Patchday: Windows 10-Updates (July 13, 2021)
Patchday: Windows 8.1/Server 2012-Updates (July 13, 2021)
Patchday: Updates für Windows 7/Server 2008 R2 (July 13, 2021)
Windows vulnerability PrintNightmare: It's not over yet (July 15, 2021)
Microsoft Defender for Identity can detect PrintNightmare attacks
