[German]It's the end of August 2021, and vulnerabilities in the Windows Print Spooler service, collectively known as PrintNightmare, continue to cause problems for administrators. There were security updates for the August 2021 patchday, but they offer more problems than solutions. Therefore, here is a summary as of the end of August 2021.
The PrintNightmare vulnerability
In early July 2021, I had reported the CVE-2021-1675 vulnerability in the Windows print spooler in the blog post PoC for Windows print spooler vulnerability public, high RCE risk. It is a Remote Code Execution (RCE) vulnerability that could allow an attacker to execute arbitrary code with SYSTEM privileges. This includes installing programs, viewing, modifying or deleting data, or creating new accounts with full user privileges. Microsoft has been trying to fix the PrintNightmare vulnerability through updates since early July 2021 (see the list of links at the end of the article). However, these attempts have failed so far, and the PrintNightmare vulnerability has been incompletely patched. In particular, the function called Point-and-Print, which allows users to install printer drivers, can be abused for attacks. The list of links at the end of the article summarizes blog posts on the topic. Microsoft currently recommends disabling the printer spooler service again.
Admin rights are required after August Update
With the latest security update for August 2021 (see, e.g., Patchday: Windows 10-Updates (August 10, 2021)) Microsoft fixed the PrintNightmare issue so that administrator rights are required for point-and-print printer installation. The biggest problem: For some printers it runs, without further administrator intervention, for other printers the printer driver has to be updated – which requires administrator rights. One German user comments on my blog:
I also have the problem at a customer since the August updates that the Kyocera printer driver must be updated on some clients and admin rights are required for this. There was no change on the print server except for the MS updates. However, this does not affect all clients. Why, unfortunately, is not clear to me.
Also tThis German comment within my blog confirms this with Ricoh printers. In the comments to the German blog post Patchday: Windows 10-Updates (10. August 2021), the topic is also discussed. Microsoft addressed this change in printer driver installation behavior in the Point and Print Default Behavior Change blog post. In this Spiceworks thread, someone addresses the issues of installing printer drivers via script. In this comment, a user there states that they get around the problem by using the same universal HP driver on the print servers for all black and white printing. Since the clients already have the printer driver installed, users will not get a prompt when adding other printers. For each color printer, we create printer entries, "PrinterName" and "PrinterName-Color", on the print server, using the actual driver for that printer model in the -Color version. Susan Bradley mentions in this ComputerWorld article that one of the solutions is to make sure that V4 printer drivers are installed on a network. Further explanation can be found in the article in question.
Printers no longer connect
In the German comments here and here blog readers describe that printers are no longer connected after applying the latest security update for August 2021.
In our case, new printers are only connected via GPO if the REG entry RestrictDriverInstallationToAdministrators is set to 0 on the client after the August update.
The documentation of the registry entry mentioned in the comment above can be found in the Microsoft articleKB5005652 How to manage new Point and Print default driver installation behavior. It states:
Windows updates released on August 10, 2021 and later require administrator privileges by default to install drivers. We made this change in the default behavior to minimize the risk on all Windows devices, including devices that do not use point and print or print features. By default, users without administrator privileges can no longer use dot and print to perform the following options:
- Install new printers by using drivers on a remote computer or server.
- Update existing printer drivers by using drivers from a remote computer or server.
In the article in question, Microsoft also describes how to undo this behavior. To do this, in the registry key:
the DWORD value RestrictDriverInstallationToAdministrators must be set. If the value is set to 1 or not present, administrator rights are required to update a printer driver. But you can set the value to 0 to be able to install and print drivers in the local network with the client again without administrator rights. In the Microsoft article KB5005652 How to manage new Point and Print default driver installation behavior they gives further hints for administrators to control the printer behavior (e.g. specify the allowed print servers in the network). In the Microsoft Q&A section there is this thread that addresses the problem of not being able to connect to the printer after an update installation. In this post a user suggests to solve that with a group policy using above key. In the thread there are more hints how people solved it for themselves. Another variant for printer installation via PowerShell script using an SCCM package is described here.
Policies for PrintNightmare
Just before writing this post, I came across a post on Facebook by Mark Heitbrink describing the three group policies that are needed. Mark described the GPOs required in this German post on site gruppenrichtlinien.de.
Within my German blog there is this comment thread, where it is discussed that certain GPOs do not work anymore. There is a comment by David Scheerer in which he describes the measures he has taken to solve the problems.
Tip: Concerning my links to German articles, try to use Deepl for translation.
PoC for Windows print spooler vulnerability public, high RCE risk
Windows Print Spooler Vulnerability (CVE-2021-1675, PrintNightmare) Confirmed by MS; CISA Warns
0Patch Micropatches for PrintNightmare Vulnerability (CVE-2021-34527)
Out-of-Band Update closes Windows PrintNightmare Vulnerability (July 6, 2021)
PrintNightmare out-of-band update also for Windows Server 2012 and 2016 (July 7, 2021)
The Chaos PrintNightmare Emergency Update (July 6/7, 2021)
Windows 10: Microsoft fixes Zebra & Dymo printer issues caused by update (e.g. KB5004945) via KIR
Microsoft on PrintNightmare vulnerability CVE-2021-34527: Windows is secure after patch
Patchday: Windows 10-Updates (July 13, 2021)
Patchday: Windows 8.1/Server 2012-Updates (July 13, 2021)
Patchday: Updates für Windows 7/Server 2008 R2 (July 13, 2021)
Windows vulnerability PrintNightmare: It's not over yet (July 15, 2021)
Microsoft Defender for Identity can detect PrintNightmare attacks
PrintNightmare: Point-and-Print allows installation of arbitrary files
0patch fix for new Windows PrintNightmare 0-day vulnerability (Aug. 5, 2021)
Windows PrintNightmare, next round with CVE-2021-36958
Ransomware gang uses PrintNightmare to attack Windows servers
Vice Society: 2. Ransomware gang uses Windows PrintNightmare vulnerability for attacks
Microsoft shows a "slim foot" with PrintNightmare
Patchday: Windows 10-Updates (August 10, 2021)
Patchday: Updates for Windows 7/Server 2008 R2 (August 10, 2021)
Patchday: Windows 8.1/Server 2012-Updates (August 10, 2021)
Cookies helps to fund this blog: Cookie settings