[German]For patchday on September 14, 2021, Microsoft has released security updates for the supported Windows systems, which should also eliminate further PrintNightmare vulnerabilities. However, these updates cause problems so that network printers can no longer be controlled. In some cases, a simple workaround might help without having to uninstall the security update.
Advertising
PrintNightmare printing issues
Since early July 2021, vulnerabilities in the Windows print spooler have been public, allowing remote code execution (RCE) (see PoC for Windows print spooler vulnerability public, high RCE risk). An attacker could execute arbitrary code with SYSTEM privileges. This includes installing programs, viewing, modifying or deleting data, or creating new accounts with full user privileges.
As of patchday on September 14, 2021, there was another PrintNightmare fix, but it poses problems again. For example, printers on terminal servers or print servers can no longer print. I had already reported on the issue in the blog post Patchday Sept. 2021 Review: New PrintNightmare fix, new issues, new desaster?
Microsoft acknowledged the problems late last week and advises updating printer drivers to be able to print again. I addressed this issue in the blog post Windows PrintNightmare: Microsoft confirms printing problems after Sept. 2021 update. If updating the printer drivers doesn't help, users should go to the OEMs and request new drivers – easier said than done.
A workaround without uninstalling updates
As a consequence of the Microsoft recommendations, administrators are uninstalling the September 14, 2021 security updates to at least get the printers working. However, there is an approach that may also provide a (temporary) solution without uninstalling the update.
Background explanations
Security researcher Benjamin Delpy, who has been working intensively on the PrintNightmare issue for months, has posted a few tweets on Twitter that may shed some more light on the issue.
Advertising
The spoofing vulnerability CVE-2021-1678 has been known for quite some time (in January 2021 Microsoft published something about it, see also my blog post Details of Windows NTLM vulnerability CVE-2021-1678 published). As I now read out from Benjamin Delpy above tweet, this also affects printer RPC binding and authentication for the remote Winspool interface.
Microsoft has started to address this vulnerability via security updates in January 2021 and September 2021. To do so, a new registry entry was set that administrators could use to increase or decrease the RPC authentication level.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print
When the DWORD value RpcAuthnLevelPrivacyEnabled=1 is set, Windows encrypts RPC communication with network printers or print servers. However, this security measure was rolled out in two stages via security update: :
- Since January 12, 2021, there was a so-called deployment phase for this purpose, in which administrators set this registry value
- With the security update of September 14, 2021, the enforcement phase was initiated, i.e. RPC encryption is active by default
The details can be found in the Microsoft support article Managing deployment of Printer RPC binding changes for CVE-2021-1678 (KB4599464). This could explain the connection problems of clients with the Windows printer spooler in various scenarios. It is reported that printing is no longer possible after installing the September 2021 update.
This workaround could help
Instead of uninstalling the security update from September 14, 2021, users have come up with the idea of disabling the enforcement mode on the server.
If I interpret the above tweet correctly, disabling the relevant settings under:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\
on the server to allow printing again. There is the DWORD value:
RpcAuthnLevelPrivacyEnabled=0
and then restart the print spooler (see this reddit.com thread and in Bleeping Computer's forum). Maybe it will help someone. Also, note my advice in the blog post Patchday Sept. 2021 Review: New PrintNightmare fix, new issues, new desaster?, where I gave advice on the error 0x0000011b.
Similar article
PoC for Windows print spooler vulnerability public, high RCE risk
Windows Print Spooler Vulnerability (CVE-2021-1675, PrintNightmare) Confirmed by MS; CISA Warns
0Patch Micropatches for PrintNightmare Vulnerability (CVE-2021-34527)
Out-of-Band Update closes Windows PrintNightmare Vulnerability (July 6, 2021)
PrintNightmare out-of-band update also for Windows Server 2012 and 2016 (July 7, 2021)
The Chaos PrintNightmare Emergency Update (July 6/7, 2021)
Windows 10: Microsoft fixes Zebra & Dymo printer issues caused by update (e.g. KB5004945) via KIR
Microsoft on PrintNightmare vulnerability CVE-2021-34527: Windows is secure after patch
Patchday: Windows 10-Updates (July 13, 2021)
Patchday: Windows 8.1/Server 2012-Updates (July 13, 2021)
Patchday: Updates für Windows 7/Server 2008 R2 (July 13, 2021)
Windows vulnerability PrintNightmare: It's not over yet (July 15, 2021)
Microsoft Defender for Identity can detect PrintNightmare attacks
PrintNightmare: Point-and-Print allows installation of arbitrary files
0patch fix for new Windows PrintNightmare 0-day vulnerability (Aug. 5, 2021)
Windows PrintNightmare, next round with CVE-2021-36958
Ransomware gang uses PrintNightmare to attack Windows servers
Vice Society: 2. Ransomware gang uses Windows PrintNightmare vulnerability for attacks
Microsoft shows a "slim foot" with PrintNightmare
Windows: PrintNightmare wrap-up and status (August 28, 2021)
Patchday Sept. 2021 Review: New PrintNightmare fix, new issues, new desaster?
Windows PrintNightmare: Microsoft confirms printing problems after Sept. 2021 update
Patchday: Windows 10-Updates (September 14, 2021)
Patchday: Windows 8.1/Server 2012 Updates (September 14, 2021)
Patchday: Updates for Windows 7/Server 2008 R2 (September 14, 2021)
Advertising
RpcAuthnPrivacyLevelEnable 0 fixed it for me .
All printers connectable again and running in a network .
Many thanks !
Same here
RpcAuthnPrivacyLevelEnable 0 fixed it for me .
All printers connectable again and running in a network .
Many thanks !
Did you have to create the RpcAuthnPrivacyLevelEnable in registry?
We do not see this being created after installing the September Patches on Servers.
Readers told me, that they have to create that entry, because it wasn't there.
I create the key and restart the spooler. It work 1 time and after reloging got the same problem.. ):
I did not found that key, but I created it. Restarted the spooler and for the moment I am able to access shared printers from domain clients again. Thanks.