PrintNightmare IV – The SYSTEM Master

In 1988 Wes Craven’s “Nightmare on Elm Street 4 – The Dream Master” was released. It was the same year Microsoft released Windows 2.1. I’m betting even Wes Craven couldn’t have imagined a scenario quite like PrintNightmare. Microsoft has tried to fix PrintNightmare 3 different times and they are going on their 4th. I’m going to give you some bad news and some worse news. First, if you haven’t heard… PrintNightmare is a vulnerability where non-administrative users can add their own printer and print driver. This may not sound like a problem, the bad news is that Windows allows users to run as “SYSTEM” (SYSTEM has a higher privilege level than some administrators) to install these print drivers. If someone built their own malware and attached it to a print driver, a malicious actor could easily gain access to an organization in a matter of seconds. The worse news is that it affects all Windows machines. Yup. If you are running Windows and use the print spooler to connect to a network printer, you are likely vulnerable to this attack. Before any IT or InfoSec professionals panic, there are a few fixes you can implement now that can help against PrintNightmare.

First, you will need to run the latest updates on Workstations and Servers. Verify the KB5003671, KB5003681, KB5004958 and the KB5004954 patches are installed for Workstations, and for Servers, it really depends. Follow Microsoft’s KB updates for your particular server (CVE-2021-34527 – Security Update Guide – Microsoft – Windows Print Spooler Remote Code Execution Vulnerability). This is important because they apply some fixes for Windows to prevent remote privilege escalation from easily being taken advantage of. This is still not enough to completely stop PrintNightmare. The updates will help make it more difficult for print drivers to be taken advantage of. The other part of July 8th “fix” is to apply the following registry settings to all workstations to prevent the local privilege escalation. It will force users to be warned on installation of print drivers and provide warning on updates to the print driver:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint
    • NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default settings)
    • NoWarningNoElevationOnUpdate = 0 (DWORD) or not defined (default settings)
    • UpdatePromtSettings = 0 (DWORD) or not defined (default settings)

As of late last week its been discovered that the fixes above does not resolve PrintNightmare completely. The new vulnerability found is that a threat actor can gain administrative rights on a Windows computer through a remote server in the attacker control. Microsoft describes it as a “vendor-supplied” application server that can install files of any type associated with a printer. This is called ‘Queue-Specific Files‘ feature. It is created by setting up a print server that shares two printers that can be accessed on the internet and pushes the queue-specific files. If the hacker manipulates these files, then it can be used against an organization who orders a specific vendors printers.

According to Bleeping Computer, Benjamin Deply, and Will Dormann there are two options for fixing PrintNightmare:

  • Block all outbound SMB traffic at the network boundary – which has its own set of problems. Hackers can easily find work arounds, especially if someone took over local machine.
  • Configure PackagePointAndPrintServerList – The PackagePrintAndPointServerList is a list of approved servers that installs users to use PointAndPrint to install printers. This is the better option according to Deply, and Bleeping Computer. “This policy prevents non-administrative users from installing print drivers using Point and Print unless the print server is on the approved list. Using this group policy will provide the best protection against the known exploit.

“Package Point and print – Approves servers

Restricts package point and print to approved servers.

This policy setting restricts package point and print connections to approved servers. This setting only applies to Package Point and Print connections, and is completely independent from the “Point and Print Restrictions” policy that governs the behavior of non-package point and print connections.

Windows Vista and later clients will attempt to make a non-package point and print connection anytime a package point and print connection fails, including attempts that are blocked by this policy. Administrators may need to set both policies to block all print connections to a specific print server.

If this setting is enabled, users will only be able to package point and print to print servers approved by the network administrator. When using package point and print, client computers will check the driver signature of all drivers that are downloaded from print servers.

If this setting is disabled, or not configured, package point and print will not be restricted to specific print servers.”

Package Point and print – Approved servers (admx.help)

These last two option are the only way to ensure your computers/organization are prevented from being exploited by PrintNightmare vulnerabilities. Unless Microsoft releases a new update to resolve the issue (I wouldn’t hold my breath).

These fixes may seem daunting, but it will also be the best security measures to prevent attackers easy access to your environment. In the end it will just be better security practices on your overall business information systems. Nonetheless, I have a feeling we will be dealing with for sometime.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: