UPDATE – 7.8.2021 // Microsoft has released an emergency out-of-band patch for CVE-2021-34527. The update however is not a complete fix. Updates are not yet available for Windows 10 build 1607, Server 2012 (non-R2) and Server 2016. They are currently working on a patch for those versions and have not released details as to why they are different. This is an out-of-band emergency patch, meaning that it releases outside of the normal Microsoft patch cycle. Patches of this nature are meant to rapidly address only the most critical exploits or at least the most critical aspects of them and sometimes have unintended effects. This issue is serious enough warrant installing first and dealing with a rare outlier that has a problem. To its credit, this update does address the most critical flaw, RCE. RCE stands for Remote Code-Execution and as the name suggests, it allows an attacker to execute arbitrary commands or code on a targeted machine or in a target process on a machine. This patch, however, does not address the Local Privilege Escalation component of the exploit. If an attacker gains access to your computer via TeamViewer or GoToAssist you are still at risk. Microsoft recommends patching immediately, and where patching is not possible to implement one of the workarounds we mentioned previously:
Stop and disable the print spooler service in Powershell:
- “Stop-Service -Name Spooler -Force and Set-Service -Name Spooler -StartupType Disabled”
Disable inbound remote printing through GPO:
- Select the Disable radio button for “Allow Print Spooler to accept client connections” and reboot systems.
Block RPC connections in your Firewall:
- RPC Endpoint Mapper - TCP/135 || SMB - TCP/139 and TCP/445
Harden Point and Print via Registry Edit:
- NoWarningNoElevationOnInstall = 0
- NoWarningNoElevationOnUpdate = 0
As previously noted, these workarounds will impact your ability to use printing services and blocking ports may prevent other server functions from behaving normally. Patching is your best choice, but if you are on a platform that does not have a patch issued yet the workarounds will still get the job done. Microsoft is no doubt working feverishly to develop a permanent fix and we will update here once again when it is released. Stay safe out there.
Note: Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.
PrintNightmare aka CVE-2021-34527 (Common Vulnerabilities and Exposures) is a vulnerability in the Print Spooler of all versions of Windows. This vulnerability is the result of Microsoft trying to resolve another CVE involving the Windows Print Spooler service (CVE-2021-1675). The original 1675 vulnerability has a severity rating of 7.8 – High per NIST.gov, but the new vulnerability has yet to be rated.
In June there was a Windows Update released which addresses the 1675 vulnerability; however, the patch did not fix the issue for Active Directory Domain Controllers or Computers that use Point and Print with a specific but very common option set called NoWarningNoElevationOnInstall.
This vulnerability allows an attacker to elevate their security rights to the level of SYSTEM, providing access to the entire domain. There is no fix from Microsoft for this issue yet, but the short answer is simple: “Disable printing.” We also know that is not a realistic response. There are “workarounds,” but currently they are akin to amputating your head to resolve a poisonous snakebite you just got on your hand. Disabling the print spooler service can cause all sorts of issues with LOB applications like Sage, among others that depend on it being running, so these options may be a workaround in name only for many people. Unfortunately, they are not a practical answer to the problem, and only you can determine if you can live without printing until a fix is released.
What Can I Do?
Option 1 – You can stop and disable the print spooler on Domain Controllers and Computers with Point and Print enabled.
This will mitigate the attack vector on those machines, however in doing so it will also prevent the server from accepting any legitimate connections for printers should they be installed there. It will also prevent printing locally from the machine. Most people do not use their Domain Controllers as Print Servers per best-practice, but this is still a legitimate concern. There are also concerns to be had with regards to Active Directory handling some print pruning operations if you disable the service.
Option 2 – Disabling inbound remote printing through Group Policy.
By implementing this Group Policy option through Active Directory, the systems the policy applies to will no longer function as a print server but printing to a locally attached printer will still be possible.
Option 3 – Block ports in your Firewall
You can block TCP ports 445 and 135 inbound in your firewall, but chances are that your firewall is already configured to do that. By default, firewalls generally treat all connections from outside your networks as hostile and block them unless rules have been added to allow the traffic.
Oh, the reality!
Neither of these are great options if you need to print over a network, but they will stop the attack vector. Until Microsoft releases a patch, workarounds are all we have for dealing with this issue. We will update you here as new information becomes available regarding this CVE and once a solution and update are released, we will push the update to all our SafetyNet customers. Stay safe out there.
Links for a more technical look at PrintNightmare: