[German]Since the patchday of September 14, 2021, when further security updates to close the PrintNightmare vulnerabilities are delivered, there are massive problems with network printers in some environments. The background is that Microsoft implemented certain security measures in August and September 2021. This post reflects the status as of September 22, 2021 and summarizes solutions as well as workarounds to resolve printing issues from various posts here on the blog.
Advertising
Patchday and PrintNightmare printing issues
Since July 2021, various security updates have been released by Microsoft for Windows, which are supposed to close the vulnerabilities summarized under the name PrintNightmare. I had written about it in the various posts linked at the end of the article. Using the PrintNightmare vulnerabilities, an attacker could execute arbitrary code with SYSTEM privileges or retrieve information (information disclosure).
As of patchday on September 14, 2021, there was another PrintNightmare fix for the supported Windows versions – but it was not explicitly highlighted in the support posts. Subsequent blog posts list the Windows updates for September 2021.
Patchday: Windows 10-Updates (September 14, 2021)
Patchday: Windows 8.1/Server 2012 Updates (September 14, 2021)
Patchday: Updates for Windows 7/Server 2008 R2 (September 14, 2021)
After installing the security updates it happens in some system environments that printers are no longer available, do not print or that there are even crashes with the stop error 0x0000011b. Microsoft has meanwhile confirmed the problems in a separate article (see my article Windows PrintNightmare: Microsoft confirms printing problems after Sept. 2021 update). Affected administrators are left with several options to respond to printing issues.
Solution 1: Update driver
The solution to try was published by Microsoft in the post Administrator credentials required every time apps attempt to print. It states that after installing the September 2021 updates (or later update) for Windows, a Trust this printer security warning will be displayed. In addition, administrator privileges are required when an application attempts to print to a print server or a print client connects to a print server. The background is that a driver installation is then attempted.
Advertising
Microsoft explains this behavior by the fact that the printer driver on the client and the print server use the same file names, but different versions (on the server a newer version is installed). This leads to an attempt to update the printer driver on the client, but this requires administrator privileges.
I had addressed this in the blog post Windows PrintNightmare: Microsoft confirms printing problems after Sept. 2021 update. The steps to be taken by administrators to resolve the issue can be summarized as follows.
- Ensure that the latest printer drivers (preferably V4 drivers) are used on clients and servers (see also this German comment). In some cases, using universal printer drivers for the devices has fixed the problem.
- Most importantly, make sure that both client and server are using the same driver version. This is clear from the explanations above. Feedback on the blog indicates that the problems could be solved by having an administrator log into the print server and update the drivers.
If problems occur, you should also check if the September 2021 updates have already been distributed to all clients and servers and if the installation has also been completed successfully (see this German comment). Otherwise, you may be administering behind problems that may resolve themselves with a clean update status.
The above approach to driver updates may not be feasible everywhere. Possibly the OEM has stopped their development. Or the feature set of newer V4 printer drivers is causing problems – here on the blog a commenter pointed out this older Papercut post on the subject.
Workarounds, if solution 1 fails
If the solution outlined above does not work or is not feasible, fast action is of course required so that printing can resume. Instead of completely uninstalling the respective security update, the following workarounds may be the lesser evil.
#1: Allow printer installation without administrator privileges
With the August 2021 updates, Microsoft introduced a new security policy that limits driver installation to administrators for Point at Print printers. This is to prevent the inclusion of compromised remote network printers as part of the PrintNightmare vulnerability by normal users.
Unless the request for printer drivers to be reinstalled can be turned off, there is an option to disable this policy introduced with the August 2021 updates. Microsoft describes this in support article KB5005652—Manage new Point and Print default driver installation behavior (CVE-2021-34481). To do this, go to the registry key:
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint
and set the DWORD value RestrictDriverInstallationToAdministrators=0. This enables driver installs on the local network on the client without administrator privileges. Within the blog post Windows: PrintNightmare wrap-up and status (August 28, 2021) I mentioned also the three group policies, that may be used.
Among other things, the network print servers that a user is allowed to use should be specified. Microsoft has also addressed this in support article KB5005652—Manage new Point and Print default driver installation behavior (CVE-2021-34481). Then the risk of PrintNightmare being exploited for attacks via this track seems manageable.
Important note: There is this tweet from Benjamin Delpy and this GitHub post from gentilkiwi. It is recommended, to set the group policy PackagePointAndPrintOnly=1. The details are discussed at GitHub. See also this US-CERT recommendation from August 2021 for further mitigations.
#2: Resolve print error 0x0000011b (rpcAuthnLevelPrivacyEnabled)
Some administrators experience the problem that print servers drops the stop error 0x0000011b when adding a printer. In this context, blog reader Markus K. has made the experience (see Windows September 2021 Update: Workaround for some printing issues) that a different patch level can work around the problem:
If you leave the print server on [the update] status August [2021] and patch only the client [to the September 2021 update status], adding a printer only works if you add the GPO: "Package Point and print – Approved servers" in addition to the Point and Print configuration.
The background to this, as far as I know so far, is that Microsoft has added the RPC binding of the printer to mitigate CVE-2021-1678 (spoofing vulnerability) via a registry entry in the branch:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print
as a security tightening. The patch was introduced in January 2021, but the DWORD value rpcAuthnLevelPrivacyEnabled=1 was only made mandatory with the September 2021 update (enforcement mode). This is described in more detail in the Microsoft support post Managing deployment of Printer RPC binding changes for CVE-2021-1678 (KB4599464).
I outlined the approach in the blog post Windows September 2021 Update: Workaround for some printing issues. Microsoft changed some settings, and that seems to be responsible for the 0x0000011b error in some environments. If you set the DWORD value rpcAuthnLevelPrivacyEnabled=0 and restart the print spooler, the stop error 0x0000011b disappears. The approach helps, as feedback from affected people shows. Blog reader Markus K. wrote:
we have now re-cooked the "workaround". Result Set "RpcAuthnLevelPrivacyEnabled" to 0 and printing works again, but according to MS you have the PrinterNightmare again. That means you are unpatched but can print again.
This measure removes the patch against the spoofing vulnerability CVE-2021-1678. Here, the consideration in terms of security applies. After all, Microsoft waited from January 2021 until September 2021 until the enforcement mode was made mandatory via patch. In the short term, it is certainly justifiable to carry out the measure temporarily in order to let the users print again.
However, note Microsoft's explanations in the support article KB5005652—Manage new Point and Print default driver installation behavior (CVE-2021-34481). There it is recommended to check that rpcAuthnLevelPrivacyEnabled is set to 1.
The above is a quick outline of the current situation to be able to print again. However, it is also clear that a permanent solution must be found afterwards in order to be able to undo the above workarounds. But maybe it will help anyway.
Similar article
PoC for Windows print spooler vulnerability public, high RCE risk
Windows Print Spooler Vulnerability (CVE-2021-1675, PrintNightmare) Confirmed by MS; CISA Warns
0Patch Micropatches for PrintNightmare Vulnerability (CVE-2021-34527)
Out-of-Band Update closes Windows PrintNightmare Vulnerability (July 6, 2021)
PrintNightmare out-of-band update also for Windows Server 2012 and 2016 (July 7, 2021)
The Chaos PrintNightmare Emergency Update (July 6/7, 2021)
Windows 10: Microsoft fixes Zebra & Dymo printer issues caused by update (e.g. KB5004945) via KIR
Microsoft on PrintNightmare vulnerability CVE-2021-34527: Windows is secure after patch
Patchday: Windows 10-Updates (July 13, 2021)
Patchday: Windows 8.1/Server 2012-Updates (July 13, 2021)
Patchday: Updates für Windows 7/Server 2008 R2 (July 13, 2021)
Windows vulnerability PrintNightmare: It's not over yet (July 15, 2021)
Microsoft Defender for Identity can detect PrintNightmare attacks
PrintNightmare: Point-and-Print allows installation of arbitrary files
0patch fix for new Windows PrintNightmare 0-day vulnerability (Aug. 5, 2021)
Windows PrintNightmare, next round with CVE-2021-36958
Ransomware gang uses PrintNightmare to attack Windows servers
Vice Society: 2. Ransomware gang uses Windows PrintNightmare vulnerability for attacks
Microsoft shows a "slim foot" with PrintNightmare
Windows: PrintNightmare wrap-up and status (August 28, 2021)
Patchday Sept. 2021 Review: New PrintNightmare fix, new issues, new desaster?
Windows PrintNightmare: Microsoft confirms printing problems after Sept. 2021 update
Windows September 2021 Update: Workaround for some printing issues
Patchday: Windows 10-Updates (September 14, 2021)
Patchday: Windows 8.1/Server 2012 Updates (September 14, 2021)
Patchday: Updates for Windows 7/Server 2008 R2 (September 14, 2021)
Advertising
the "RestrictDriverInstallationToAdministrators" reg key is implemented in the recent KB5005624 & KB5005625 preview updates for Win10 v1809 and v1909:
KB5005624 for Win10 v1909:
https://support.microsoft.com/help/5005624
KB5005625 for Win10 v1809 LTSC 2019:
https://support.microsoft.com/help/5005625