Microsoft shows a "slim foot" with PrintNightmare

Windows[German]PrintNightmare is the name given to a series of vulnerabilities in the Windows Print Spooler service. Attackers can use these vulnerabilities to extend rights and possibly take over domain controllers. Microsoft reacts half-heartedly with patches and recommendations, which in practice are only annoying for those affected. In the meantime, these vulnerabilities are being exploited in cyber attacks, and the discoverer of the vulnerabilities is making accusations of inaction against Microsoft. Time for a look at the facts.


Advertising

The PrintNightmare vulnerability

In early July 2021, I first reported the CVE-2021-1675 vulnerability in the Windows Print Spooler in the blog post PoC for Windows print spooler vulnerability public, high RCE risk. It is a remote code execution (RCE) vulnerability that could allow an attacker to execute arbitrary code with SYSTEM privileges. This includes installing programs, viewing, modifying or deleting data, or creating new accounts with full user privileges.

Microsoft has been trying to fix the PrintNightmare vulnerability with updates since the beginning of July 2021 (see the list of links at the end of the article). But after each patch, security researchers prove that the PrintNightmare vulnerability was incompletely patched. In particular, the feature called Point-and-Print, which allows users to install printer drivers, can be abused for attacks. The list of links at the end of the article summarizes blog posts on the topic. Microsoft currently recommends disabling the printer spooler service again.

Administrator rights required for printer installation

With the latest security update for August 2021 (see, e.g. Patchday: Windows 10-Updates (August 10, 2021)), Microsoft has wanted to fix the PrintNightmare issue in such a way that point-and-print printer installation requires administrator privileges (see, e.g., this article at The Record Media). Blog reader Jonas also points out this issue in this German comment. The following comment reached me via Facebook:

Hi all, we have started rolling out the new August cumulative update to Windows 10 clients.

Here there should be from now on yes admin rights to install printing,we get this message now also on 3 end devices and on for example over 60 others not.

The printers were already there before for the colleagues, there was no change on the printserver. It runs every morning only a processing over whom to the printer assignment…In my opinion, this query should not come at all, because the drivers on the device were already present before…

have not yet logindaten enter and wanted to first manually reinstall the printer …

has anyone already encountered something like this?

Another reader emailed me that the August 2021 patchday updates are causing massive problems with network printers. In this German comment, there are further hints about the problem of the password query.

Criticism from security researchers

Security researcher Benjamin Delpy, who made the PrintNightmare vulnerabilities public, is harshly criticizing Microsoft. Benjamin Delpy is the head of the Research & Development Security Center at Banque de France, and discovered the PrintNightmare vulnerabilities as a side job. He is quite outspoken in his comments to Windows Central.


Advertising

Microsoft has introduced several fixes, but they still don't fully resolve all security issues related to driver/printer installation by non-privileged users. Their fix now restricts the default behavior of the spooler to not allow unprivileged users to install a driver (even a legal one). They prefer to avoid the entire problem [rather than] redesign part of the product.

Microsoft tries and tries, but can't fix the source of the vulnerabilities. It's a worse situation for administrators in business environments. 

Similar article
PoC for Windows print spooler vulnerability public, high RCE risk
Windows Print Spooler Vulnerability (CVE-2021-1675, PrintNightmare) Confirmed by MS; CISA Warns
0Patch Micropatches for PrintNightmare Vulnerability (CVE-2021-34527)
Out-of-Band Update closes Windows PrintNightmare Vulnerability (July 6, 2021)
PrintNightmare out-of-band update also for Windows Server 2012 and 2016 (July 7, 2021)
The Chaos PrintNightmare Emergency Update (July 6/7, 2021)
Windows 10: Microsoft fixes Zebra & Dymo printer issues caused by update (e.g. KB5004945) via KIR
Microsoft on PrintNightmare vulnerability CVE-2021-34527: Windows is secure after patch
Patchday: Windows 10-Updates (July 13, 2021)
Patchday: Windows 8.1/Server 2012-Updates (July 13, 2021)
Patchday: Updates für Windows 7/Server 2008 R2 (July 13, 2021)
Windows vulnerability PrintNightmare: It's not over yet (July 15, 2021)
Microsoft Defender for Identity can detect PrintNightmare attacks
PrintNightmare: Point-and-Print allows installation of arbitrary files
0patch fix for new Windows PrintNightmare 0-day vulnerability (Aug. 5, 2021)
Windows PrintNightmare, next round with CVE-2021-36958
Ransomware gang uses PrintNightmare to attack Windows servers
Vice Society: 2. Ransomware gang uses Windows PrintNightmare vulnerability for attacks

Patchday: Windows 10-Updates (August 10, 2021)
Patchday: Updates for Windows 7/Server 2008 R2 (August 10, 2021)
Patchday: Windows 8.1/Server 2012-Updates (August 10, 2021)


Cookies helps to fund this blog: Cookie settings
Advertising


This entry was posted in Security, Windows and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published.