{"id":21402,"date":"2021-09-16T12:36:29","date_gmt":"2021-09-16T10:36:29","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=21402"},"modified":"2021-09-17T08:39:32","modified_gmt":"2021-09-17T06:39:32","slug":"patchday-nachlese-sept-2021-neuer-printnightmare-fix","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2021\/09\/16\/patchday-nachlese-sept-2021-neuer-printnightmare-fix\/","title":{"rendered":"Patchday Sept. 2021 Review: New PrintNightmare fix, new issues, new desaster?"},"content":{"rendered":"

\"Windows\"[German<\/a>]For months, a number of vulnerabilities in the Windows Print Spooler service, which are summarized under the term PrintNightmare, have existed in all Windows versions. Microsoft has been trying to close the vulnerabilities completely since July 2021 to no avail. New problems occur after every patch. At patchday on September 14, 2021, there was another PrintNightmare fix, but it poses problems again. Here is a brief overview of the state – we can say: For some users it's a new desaster, because the printer won't work after update.<\/p>\n

<\/p>\n

The PrintNightmare vulnerability<\/h2>\n

\"\"In early July 2021, I first reported the vulnerability CVE-2021-1675 in the Windows Print Spooler in the blog post PoC for Windows print spooler vulnerability public, high RCE risk<\/a>. It is a remote code execution (RCE) vulnerability that could allow an attacker to execute arbitrary code with SYSTEM privileges. This includes installing programs, viewing, modifying or deleting data, or creating new accounts with full user privileges.<\/p>\n

Microsoft has been trying to fix the PrintNightmare vulnerability through updates since early July 2021 (see the list of links at the end of the article). However, these attempts have failed so far, and the PrintNightmare vulnerability has been patched incompletely. In addition, there are other problems after each update, e.g. printer drivers need administrator rights for installation. The list of links at the end of the article summarizes blog posts on the topic. At the end of August 2021, I had summarized the latest status in the blog post Windows: PrintNightmare wrap-up and status (August 28, 2021)<\/a>.<\/p>\n

September 2021 patches for PrintNightmare<\/h2>\n

As of September 14, 2021, Microsoft has also included the PrintNightmare vulnerability in its security updates for Windows, even though this was not explicitly mentioned in the support posts. However, I have received a security advisory from Microsoft regarding this.<\/p>\n

CVE-2021-1678<\/p>\n

– Windows Print Spooler Spoofing Vulnerability
\n– CVE-2021-1678<\/a> – Version 2.0
\n– Reason for Revision: CVE updated to announce that Microsoft is releasing the
\nSeptember 2021 security updates for all affected versions of Windows to address
\nthis vulnerability. Additionally, other information has been updated, including
\nthe following: 1) The CVE title and impact have been changed to better reflect
\nthe vulnerability. 2) FAQs have been added. 3) Acknowledgement has been updated.
\n– Originally posted: January 12, 2021
\n– Updated: September 14, 2021<\/p>\n

CVE-2021-36958<\/p>\n

– Windows Print Spooler Remote Code Execution Vulnerability
\n– CVE-2021-36958<\/a>\u00a0 – Version 2.0
\n– Reason for Revision: CVE updated to announce that Microsoft is releasing the
\nSeptember 2021 security updates for all affected versions of Windows to address
\nthis vulnerability. Additionally, other information has been updated, including the
\nfollowing: 1) Executive Summary has been updated 2) Workarounds have been removed as
\nthey are no longer applicable 3) FAQs have been updated to reflect the release of the
\nSeptember 2021 security updates.
\n– Originally posted: August 11, 2021
\n– Updated: September 14, 2021<\/p>\n

Microsoft has released new patches for the two vulnerabilities listed above as of September 14, 2021. The colleagues from Bleeping Computer have given an outline of the information in this article<\/a>. Benjamin Delpi confirms in this tweet<\/a> that the vulnerabilities used by his exploits no longer work.<\/p>\n

\"PrintNightmare<\/a><\/p>\n

Delpy told BleepingComputer that Microsoft disabled the CopyFiles feature by default. This could be the explanation why some printer drivers cause problems after the patch. However, there is now an undocumented group policy that administrators can use to re-enable the CopyFiles feature. To do this, the following must be entered in the Windows registry under the key:<\/p>\n

HKLM\\Software\\Policies\\Microsoft\\Windows NT\\Printers<\/p>\n

a DWORD value CopyFilesPolicy must be added and set to 1, so that CopyFiles is enabled again. According to Delpy, this function can then still only be used with the Microsoft file C:\\Windows\\System32\\mscms.dll.<\/p>\n

Printing issues due to the patch<\/h2>\n

Similar to what happened back in August 2021 (see Windows: PrintNightmare wrap-up and status (August 28, 2021)<\/a>), the new updates also seem to cause printer issues again. German user Andreas reported within my German blog<\/a> about striking Notbook printers on Apple devices connected with a Windows Server 2019 PrintServer, which is confirmed by other readers. Blog reader Andreas Oberhof writes in this German comment<\/a> on theGerman\u00a0 article Patchday: Windows 10-Updates (14. September 2021<\/a>:<\/p>\n

Printer problem after September update. For shared printers, suddenly the drivers are missing on the clients (win 10, current FU).
\nPrinting is not possible. Remove printer is not possible. Adding printers is not possible. Interestingly, the problems do not exist on a terminal server in the same environment (also patched). Anyone have any ideas?<\/p><\/blockquote>\n

German blog reader Stefan confirms this problem<\/a> on a terminal server. Blog reader Thomas describes<\/a> an exotic problem that freezes the PC when debugging a printer driver – the whole thing is described here<\/a>. On mewe.com I received the following feedback on the patchday post:<\/p>\n

… the far bigger problem is: on our network, test users can now no longer connect printers and need administrative rights to do so. Right click under W10 at the print server under 2016 then wants to get drivers and bang<\/p><\/blockquote>\n

On Bleeping Computer's forum there is this thread<\/a> about printing problems with network printers after installing update KB5005565. And on reddit.com I noticed this thread<\/a> where users are also confirming printing issues due to the Sept 2021 updates. On reddit.com, this thread<\/a> confirms the problem with printers on Windows Server 2012 R2 – and this reddit.com<\/a> thread describes the same thing.<\/p>\n

Addendum:<\/strong> In the meantime, I have received a number of reports from people who can no longer print. This affects all kinds of printers, even Zebra label printers are among them. In July 2021, Microsoft even had to withdraw a patch via KIR (see\u00a0 Windows 10: Microsoft fixes Zebra & Dymo printer issues caused by update (e.g. KB5004945) via KIR<\/a>).<\/p><\/blockquote>\n

What could help<\/h3>\n

In this comment<\/a> to the article Windows: PrintNightmare-Nachlese und Stand (27. August 2021)<\/a> Benjamin writes that he succeeded in getting the striking devices to work again with the hints collected in the article (set up V4 drivers on the PrintServer a second time). However, this is likely to fix the problems only in isolated cases.<\/p>\n

In the blog post I had also mentioned that you can reset the admin permissions for printer installation introduced by the August 2021 update via GPO. Microsoft has described this in support article KB5005652<\/a>.<\/p>\n

Similar article<\/strong>
\nPoC for Windows print spooler vulnerability public, high RCE risk<\/a>
\nWindows Print Spooler Vulnerability (CVE-2021-1675, PrintNightmare) Confirmed by MS; CISA Warns<\/a>
\n0Patch Micropatches for PrintNightmare Vulnerability (CVE-2021-34527)<\/a>
\nOut-of-Band Update closes Windows PrintNightmare Vulnerability (July 6, 2021)<\/a>
\nPrintNightmare out-of-band update also for Windows Server 2012 and 2016 (July 7, 2021)<\/a>
\nThe Chaos PrintNightmare Emergency Update (July 6\/7, 2021)<\/a>
\nWindows 10: Microsoft fixes Zebra & Dymo printer issues caused by update (e.g. KB5004945) via KIR<\/a>
\nMicrosoft on PrintNightmare vulnerability CVE-2021-34527: Windows is secure after patch<\/a>
\nPatchday: Windows 10-Updates (July 13, 2021)<\/a>
\nPatchday: Windows 8.1\/Server 2012-Updates (July 13, 2021)<\/a>
\nPatchday: Updates f\u00fcr Windows 7\/Server 2008 R2 (July 13, 2021)<\/a>
\nWindows vulnerability PrintNightmare: It's not over yet (July 15, 2021)<\/a>
\nMicrosoft Defender for Identity can detect PrintNightmare attacks<\/a>
\nPrintNightmare: Point-and-Print allows installation of arbitrary files<\/a>
\n0patch fix for new Windows PrintNightmare 0-day vulnerability (Aug. 5, 2021)<\/a>
\nWindows PrintNightmare, next round with CVE-2021-36958<\/a>
\nRansomware gang uses PrintNightmare to attack Windows servers<\/a>
\nVice Society: 2. Ransomware gang uses Windows PrintNightmare vulnerability for attacks<\/a>
\nMicrosoft shows a \"slim foot\" with PrintNightmare<\/a>
\nWindows: PrintNightmare wrap-up and status (August 28, 2021)<\/a><\/p>\n

Patchday: Windows 10-Updates (September 14, 2021)<\/a>
\nPatchday: Windows 8.1\/Server 2012 Updates (September 14, 2021)<\/a>
\nPatchday: Updates for Windows 7\/Server 2008 R2 (September 14, 2021)<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

[German]For months, a number of vulnerabilities in the Windows Print Spooler service, which are summarized under the term PrintNightmare, have existed in all Windows versions. Microsoft has been trying to close the vulnerabilities completely since July 2021 to no avail. … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[463,580,22,2],"tags":[2675,2674,2661,466,69,195,194],"class_list":["post-21402","post","type-post","status-publish","format-standard","hentry","category-issue","category-security","category-update","category-windows","tag-drucken","tag-patchday-9-2021","tag-printnightmare","tag-problem","tag-security","tag-update","tag-windows"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/21402","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=21402"}],"version-history":[{"count":0,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/21402\/revisions"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=21402"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=21402"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=21402"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}