[German]For months, a number of vulnerabilities in the Windows Print Spooler service have existed in all versions of Windows, collectively known as PrintNightmare. Microsoft has been trying in vain to close the vulnerabilities completely since July 2021, but is having problems. The updates released for patchday on September 14, 2021 also cause problems, which Microsoft has now partially acknowledged. There is the advice to update the printer driver to be able to print again.
The PrintNightmare vulnerabilities
Since early July 2021, vulnerabilities in the Windows Print Spooler have been public, allowing remote code execution (RCE) (seePoC for Windows print spooler vulnerability public, high RCE risk). An attacker could execute arbitrary code with SYSTEM privileges. This includes installing programs, viewing, modifying or deleting data, or creating new accounts with full user privileges.
As of patchday on September 14, 2021, there was another PrintNightmare fix, but it poses problems again. For example, printers on terminal servers or print servers can no longer print. I had already reported about the issue in the blog post Patchday Sept. 2021 Review: New PrintNightmare fix, new issues, new desaster?
Microsoft confirms the issues
As of September 17, 2021, Microsoft then acknowledged problems with printing in the Windows 10 status area in the known issues section. The entry Administrator credentials required every time apps attempt to print addresses the issue that the printer installation requires administrator credentials when printing. It states:
After installing KB5005033 or a subsequent update, certain printers in some environments that use Point and Print may display the "Trust this printer" prompt. In addition, when an application attempts to print to a print server or a print client connects to a print server, administrator credentials are required for installation.
This is caused by a printer driver on the print client and the print server using the same file name, but the server has a newer version of the file. When the print client connects to the print server, it finds a newer driver file and is prompted to update the drivers on the print client, but the file in the package it is offered for installation does not contain the newer file version.
The following Windows clients and server variants are affected by this behavior – that is, all Windows versions that are still supported.
- Client: Windows 10, version 21H1; Windows 10, version 20H2; Windows 10, version 2004; Windows 10, version 1909; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise 2015 LTSB; Windows 8.1; Windows 7 SP1
- Server: Windows Server 2022; Windows Server, version 20H2; Windows Server, version 2004; Windows Server, version 1909; Windows Server, version 1809; Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2.
Microsoft's "workaround" is to make sure the latest drivers are used for all printing devices. Also, if possible, the same version of the printer driver should be used on the print client and the print server. So, this problem should be solved externally by the administrator by adjusting the printer drivers in the environment. If updating the drivers does not solve the problem, you should contact the support of your printer manufacturer (OEM) (see also the FAQ in KB5005652).
PoC for Windows print spooler vulnerability public, high RCE risk
Windows Print Spooler Vulnerability (CVE-2021-1675, PrintNightmare) Confirmed by MS; CISA Warns
0Patch Micropatches for PrintNightmare Vulnerability (CVE-2021-34527)
Out-of-Band Update closes Windows PrintNightmare Vulnerability (July 6, 2021)
PrintNightmare out-of-band update also for Windows Server 2012 and 2016 (July 7, 2021)
The Chaos PrintNightmare Emergency Update (July 6/7, 2021)
Windows 10: Microsoft fixes Zebra & Dymo printer issues caused by update (e.g. KB5004945) via KIR
Microsoft on PrintNightmare vulnerability CVE-2021-34527: Windows is secure after patch
Patchday: Windows 10-Updates (July 13, 2021)
Patchday: Windows 8.1/Server 2012-Updates (July 13, 2021)
Patchday: Updates für Windows 7/Server 2008 R2 (July 13, 2021)
Windows vulnerability PrintNightmare: It's not over yet (July 15, 2021)
Microsoft Defender for Identity can detect PrintNightmare attacks
PrintNightmare: Point-and-Print allows installation of arbitrary files
0patch fix for new Windows PrintNightmare 0-day vulnerability (Aug. 5, 2021)
Windows PrintNightmare, next round with CVE-2021-36958
Ransomware gang uses PrintNightmare to attack Windows servers
Vice Society: 2. Ransomware gang uses Windows PrintNightmare vulnerability for attacks
Microsoft shows a "slim foot" with PrintNightmare
Windows: PrintNightmare wrap-up and status (August 28, 2021)
Patchday Sept. 2021 Review: New PrintNightmare fix, new issues, new desaster?
Cookies helps to fund this blog: Cookie settings