Windows October 2021 Updates: PrintNightmare Status and Network Printing Issues

Windows[German]As of October 12, 2021, Microsoft has addressed new vulnerabilities in the environment of the security holes known as PrintNightmare via update. Therefore, a short look at the issue in question, which is still not off the table. In addition, it crystallizes that the October 2021 update for Windows will once again cause printing problems for network printers. There is a rough overview of this as well. Addition: Microsoft has just confirmed certain printing problems.


Advertising

Printing issues after October 2021 update

Windows updates from October 12, 2021 lead to new printing problems for some users. Update KB5006670 for Windows 10 version 2004 through 21H1 breaks the ability to print from a client to a Windows server. Blog reader Christian addressed it in this comment: Kb5006670 installed on clients causes inability to print from a server. On my German blog post Patchday: Windows 10-Updates (12. Oktober 2021) (here is the English version: Patchday: Windows 10-Updates (October 12, 2021)), there were also a number of other feedbacks about printing problems. German reader Liam addressed the issue in this comment:

Has anyone had problems with network printers installed on a server after the KB5006670 update? Printers could not be reinstalled because they were asked for credentials. Even with correct input no chance. Uninstalled the update and the connection worked immediately :)

The problem is confirmed by other readers. Blog reader Marco points out in this comment that according to his experience it currently only affects computers in workgroups without Actice Directory integration. He writes the following about it:

So far the only workaround is to uninstall the update completely or to replace the win32spl.dll in the System32 folder with an older one (for example with the September version 10.0.19041.1237. In the Bleeping Computer forum you can find a script to easily replace the DLL. You have to adjust the "icacls" line in the script for a German Windows and use "administrators" instead of "builtin\administrators".

Note, that the initial script has been updates, see the whole forum thread linked above

Maybe this helps someone – although the exchange of DLLs in enterprise environments is rather not so yellow of the egg. The registry entries listed in the blog post Windows PrintNightmare: Status, issues and workarounds (Sept. 22, 2021) don't seem to work this time. 

Microsoft confirms printing issues

Microsoft has just confirmed certain printing problems in the Windows status area in various Know-Issues sections. The article Custom printing properties might not be correctly provided to print server clients states: 

After installing KB5005611 on a print server, printing properties defined on that server might not be correctly provided to clients. Note this issue is specific to print servers and does not impact standard network printing. This issue will not cause printing operations to fail, however, custom settings defined on the server – for example, duplex print settings – will not be applied automatically, and clients will print with default settings only.

This issue results from an improper building of the data file which contains the printer properties. Clients which receive this data file will not be able to use the file content and will instead proceed with default printing settings. Clients who have previously received the settings package prior to the installation of KB5005611 are unaffected. Servers which use default print settings and have no custom settings to provide to clients are unaffected.

Note: The printer connection methods described in this issue are not commonly used by devices designed for home use. The printing environments affected by this issue are more commonly found in enterprises and organizations.

Workaround: IT administrators with admin privileges can still install printer drivers on the client through other means, such as copying packaged drivers from a known good package location. Additionally, clients can still be modified manually to adopt desired printer settings.

The problem affects all Windows clients from Windows 7 SP1 to Windows 10 21H1, as well as the respective server pedants. The page also lists the error Installation of printers via Internet Printing Protocol (IPP) might not succeed.


Advertising

After installing KB5005565, installation of printers using Internet Printing Protocol (IPP) might not complete successfully. Devices which had connected to and installed the printer prior to the installation of KB5005565 are unaffected and print operations to that printer will succeed as usual.

This issue affects Windows 10 clients 21H1, 20H2, 2004, 1809, 1909, and Windows 11 21H2, and Windows Server 20H2, 2004, 1809, 1909, and 2022.

PrintNightmare fixes from October 2021

For cumulativen Update KB5006672 for Windows 10 Version 1809, Microsoft explicitly stated that a problem with deploying drivers for Internet printers was corrected (see also Patchday: Windows 10-Updates (October 12, 2021)). In the KB5006675 update for the RTM version of Windows 10, on the other hand, the group policy setting for Point-and-Print (RestrictDriverInstallationToAdministrators) was implemented for the first time. 

Addresses an issue that prevents an internet print server from properly packaging modified printer properties before sending the package to the client.

I also received an email from security vendor Tenable informing me that Microsoft has again closed a spoofing vulnerability CVE-2021-36970  with the Windows updates in Windows 7 to Windows 10 as well as the server counterparts as of October 2021.

The latest release includes a fix for CVE-2021-36970, a spoofing vulnerability in Microsoft's Windows Print Spooler. Researchers XueFeng Li and Zhiniang Peng of Sangfor discovered this vulnerability. They are also credited with the discovery of CVE-2021-1675, one of two vulnerabilities known as PrintNightmare. Although no details about the vulnerability have been disclosed yet, it is definitely something to keep an eye on as more and more Print Spooler-related vulnerabilities were patched over the summer. At the same time, ransomware groups started to include PrintNightmare in their affiliate playbook. We strongly recommend that organizations apply these patches as soon as possible. Microsoft also patched the CVE-2021-40449 vulnerability, a vulnerability in Win32k that allows elevation of privilege. According to reports, this vulnerability has already been exploited by attackers as a zero-day. It is not uncommon for zero-day vulnerabilities with elevated privileges to be patched on Patch Tuesday. These vulnerabilities are most valuable in post-compromise scenarios when an attacker has gained access to a target system by other means to execute code with elevated privileges.

This means that administrators have the choice between plague and cholera: either not being able to print or uninstalling the security updates from October 2021 again.

Similar article
PoC for Windows print spooler vulnerability public, high RCE risk
Windows Print Spooler Vulnerability (CVE-2021-1675, PrintNightmare) Confirmed by MS; CISA Warns
0Patch Micropatches for PrintNightmare Vulnerability (CVE-2021-34527)
Out-of-Band Update closes Windows PrintNightmare Vulnerability (July 6, 2021)
PrintNightmare out-of-band update also for Windows Server 2012 and 2016 (July 7, 2021)
The Chaos PrintNightmare Emergency Update (July 6/7, 2021)
Windows 10: Microsoft fixes Zebra & Dymo printer issues caused by update (e.g. KB5004945) via KIR
Microsoft on PrintNightmare vulnerability CVE-2021-34527: Windows is secure after patch
Patchday: Windows 10-Updates (July 13, 2021)
Patchday: Windows 8.1/Server 2012-Updates (July 13, 2021)
Patchday: Updates für Windows 7/Server 2008 R2 (July 13, 2021)
Windows vulnerability PrintNightmare: It's not over yet (July 15, 2021)
Microsoft Defender for Identity can detect PrintNightmare attacks
PrintNightmare: Point-and-Print allows installation of arbitrary files
0patch fix for new Windows PrintNightmare 0-day vulnerability (Aug. 5, 2021)
Windows PrintNightmare, next round with CVE-2021-36958
Ransomware gang uses PrintNightmare to attack Windows servers
Vice Society: 2. Ransomware gang uses Windows PrintNightmare vulnerability for attacks
Microsoft shows a "slim foot" with PrintNightmare
Windows: PrintNightmare wrap-up and status (August 28, 2021)
Patchday Sept. 2021 Review: New PrintNightmare fix, new issues, new desaster?
Windows PrintNightmare: Microsoft confirms printing problems after Sept. 2021 update
Windows September 2021 Update: Workaround for some printing issues
Windows PrintNightmare: Status, issues and workarounds (Sept. 22, 2021)
Tip: Windows PrintNightmare test tools for administrators

Patchday: Windows 10-Updates (October 12, 2021)
Patchday: Windows 8.1/Server 2012 Updates (October 12, 2021)
Patchday: Updates for Windows 7/Server 2008 R2 (October 12, 2021)


Cookies helps to fund this blog: Cookie settings
Advertising


This entry was posted in issue, Update, Windows and tagged , , , , . Bookmark the permalink.

9 Responses to Windows October 2021 Updates: PrintNightmare Status and Network Printing Issues

  1. Blu Scarab says:

    Simply uninstalling the update will only work temporarily. The update will be automatically reinstalled within the next several days. To prevent it from reinstalling, use the Microsoft Show/Hide Update Tool called wushowhide.diagcab after the KB5006670 update is fully uninstalled. It will list all the updates that are scheduled to be installed with checkmark boxes next to each item. Put a checkmark in the box for the KB5006670 and run it. After its done, that particular update will no longer be installed.

  2. Ian says:

    Alternatively, you can leave KB5006670 installed, an instead, overwrite the version of win32spl.dll installed by the update (v19041.1288 ) with the previous version ( v19041.1237). This will restore network printing.

    win32spl.dll is located in the System32 folder so you may may need to Take Ownership of that file in order to overwrite it. The previous version of the file can usually be found in a subfolder of C:\Windows\WinSxS. Failing that, you can get it from a PC not updated to KB5006670, and failing that, you could always roll back the update, grab the file and re-update.

    • guenni says:

      Ian, thanks for your hint. As a note for other reader:

      That has been mentioned already within my recent post Windows October 2021 Updates: PrintNightmare Status and Network Printing Issues, and I've postet there a link to the Bleeping Computer forum thread, where this has been discussed. But it's not a good idea – imho. First of all, they have had to update the script, because it was mandatory to exchange other files. Then I got two comments from German blog readers (one is a GPO crack, the other is a security guru) who expressed their concerns about this "hack". Overall I would not trust such a hack in ein enterprise network environment – and I don't know, what will happens, if the the next patch comes down the road.

    • Judt Judy says:

      This is a nice way around it but when you have a network of over 1,000 this is truly not ideal. Thanks again to microsoft for putting out yet another crap update. Back in the day they used to just pick on HP, now they are going after any printer on the network.

  3. Bachelor of Industrial Engineering Telkom University says:

    thanks for sharing, can I share this information?

  4. Advertising

  5. iT Don says:

    KB5006672 update for Server 2019 did NOT fix the issue.
    Share printers failed installing until the KB was uninstall.

  6. ChandraACS says:

    Just install Microsoft update for windows 10 – KB5007253 and restart your computer.. it will fix the issue. Link to download the update:
    https://www.catalog.update.microsoft.com/Search.aspx?q=KB5007253

Leave a Reply to Bachelor of Industrial Engineering Telkom University Cancel reply

Your email address will not be published. Required fields are marked *