ZeroDay PrintNightmare vulnerability found

[Mark Kaine]

 

Summary

 Microsoft shares mitigations for Windows PrintNightmare zero-day bug. Im not sure if this affects all users, but sounds like it. No security patch available yet, but a "mitigation".

Quotes

Quote

 

Microsoft has provided mitigation guidance to block attacks on systems vulnerable to exploits targeting the Windows Print Spooler zero-day vulnerability known as PrintNightmare.

This remote code execution (RCE) bug—now tracked as CVE-2021-34527—impacts all versions of Windows per Microsoft, with the company still investigating if the vulnerability is exploitable on all of them.

 

My thoughts

 Since im not sure this affects all users I don't know if everyone shouldnt turn off this spooler service now?

 

Quote

Until Microsoft releases PrintNightmare security updates, implementing the mitigations listed above is the easiest way to ensure that threat actors—and ransomware groups in particular—will not jump at the occasion to breach your network.

 

Sources

 https://www.bleepingcomputer.com/news/security/microsoft-shares-mitigations-for-windows-printnightmare-zero-day-bug/

[Murasaki]

I'll never understand why this service is always running out of the box. If I don't have a printer installed, just don't run it Bigbrainsoft.

[Mark Kaine]

4 minutes ago, Murasaki said:

I'll never understand why this service is always running out of the box. If I don't have a printer installed, just don't run it Bigbrainsoft.

True… same with "remote assistance" …

But, how do I turn it off… cant see it in group policy… cant i just disable the service?

[RejZoR]

7 minutes ago, Murasaki said:

I'll never understand why this service is always running out of the box. If I don't have a printer installed, just don't run it Bigbrainsoft.

And this isn't even anything new. It's been some 10 or even 15 years when malware was using PrintSpooler to spread itself. And yet the damn thing is still enabled and running by default even though my systems haven't seen printers in some 15 years.

[Murasaki]

2 minutes ago, RejZoR said:

And this isn't even anything new. It's been some 10 or even 15 years when malware was using PrintSpooler to spread itself. And yet the damn thing is still enabled and running by default even though my systems haven't seen printers in some 15 years.

Yeah I've seen it way back since XP; even when I was still new to computers I just went why is a printer service running when I don't got a printer? Just Microsoft things.

5 minutes ago, Mark Kaine said:

True… same with "remote assistance" …

But, how do I turn it off… cant see it in group policy… cant i just disable the service?

You probably can? Dunno if thats gonna cause any problems and/or will Windows not like it an eventually enable it back. Spooler one can definitely get dunked.

[Kilrah]

6 minutes ago, Murasaki said:

Yeah I've seen it way back since XP; even when I was still new to computers I just went why is a printer service running when I don't got a printer? Just Microsoft things.

There are common things that still use the print spooler like "printing" to PDF just goes through it to a virtual printer.

[Sauron]

14 minutes ago, Mark Kaine said:

But, how do I turn it off… cant see it in group policy… cant i just disable the service?

The source website includes instructions:

Quote

Mitigation measures available

While it hasn't released security updates to address this flaw, Microsoft provides mitigation measures to block attackers from taking over vulnerable systems.

The available options include disabling the Print Spooler service to remove printing capability locally and remotely, or disabling inbound remote printing through Group Policy to remove remote attack vector by blocking inbound remote printing operations.

In the second case, Microsoft says that "the system will no longer function as a print server, but local printing to a directly attached device will still be possible."

To mitigate the vulnerability, you have to go through one of the following two procedures:

Option 1 - Disable the Print Spooler service

If disabling the Print Spooler service is appropriate for your enterprise, use the following PowerShell commands:

Stop-Service -Name Spooler -Force

Set-Service -Name Spooler -StartupType Disabled

Option 2 - Disable inbound remote printing through Group Policy

You can also configure the settings via Group Policy as follows: Computer Configuration / Administrative Templates / Printers

Disable the “Allow Print Spooler to accept client connections:” policy to block remote attacks.

 

[leadeater]

6 minutes ago, Kilrah said:

There are common things that still use the print spooler like "printing" to PDF just goes through it to a virtual printer.

Yep print spooler isn't just for physical printers printing paper.

 

Side note for people that need to know the print spooler service on domain controllers is used to clean up published printers in AD so if you disable it, like you should have for this already, you either need to carry this task out manually or when there is a fix enable it again.

[Murasaki]

5 minutes ago, Kilrah said:

There are common things that still use the print spooler like "printing" to PDF just goes through it to a virtual printer.

Well thats neat, atleast I'll never run out of virtual magenta.

[Mark Kaine]

14 minutes ago, Sauron said:

The source website includes instructions:

yeah, i read that, but i cant find 

“Allow Print Spooler to accept client connections:”  in group policy…

and the other "solution" requires power shell, i can use command prompt… power shell is too complicated.

 

Why not just disable the service? thats so much simpler… i did that now, but not sure if that will do it.

 

 

13 minutes ago, leadeater said:

the print spooler service on domain controllers is used to clean up published printers in AD

Whats "AD"? Should i worry about this? I never print anything on my pc…

[Oshino Shinobu]

2 minutes ago, Mark Kaine said:

yeah, i read that, but i cant find 

“Allow Print Spooler to accept client connections:”  in group policy…

and the other "solution" requires power shell, i can use command prompt… power shell is too complicated.

 

Why not just disable the service? thats so much simpler… i did that now, but not sure if that will do it.

The powershell commands are just to disable and stop the service. Not sure how it's too complicated when they've given the exact commands to run. 

 

Computer Configuration > Policies > Administrative Templates > Printers

 

[Oshino Shinobu]

8 minutes ago, Mark Kaine said:

yeah, i read that, but i cant find 

“Allow Print Spooler to accept client connections:”  in group policy…

and the other "solution" requires power shell, i can use command prompt… power shell is too complicated.

 

Why not just disable the service? thats so much simpler… i did that now, but not sure if that will do it.

 

 

Whats "AD"? Should i worry about this? I never print anything on my pc…

Active Directory. If you don't know what it is, you most likely aren't using it or otherwise aren't the one in your company responsible for maintaining it. 

[Mark Kaine]

3 minutes ago, Oshino Shinobu said:

powershell commands

never works for me… 

 

(plus disabling a service in "services" is so much simpler)

 

4 minutes ago, Oshino Shinobu said:

Computer Configuration > Policies > Administrative Templates > Printers

i found that now, i looked in "users" instead of "computer"… so disabling that is all i need to do, right?

 

[Oshino Shinobu]

3 minutes ago, Mark Kaine said:

never works for me… 

 

(plus disabling a service in "services" is so much simpler)

 

i found that now, i looked in "users" instead of "computer"… so disabling that is all i need to do, right?

 

If you've already disabled the service, you don't need to do anything in GP. 

 

Is this for your home PC or are you in a domain environment? If it's your home PC, disabling the service is enough. Hell, I wouldn't even be worried about it much in a home environment as the exploit requires an authenticated user to run an RPC command. In most home cases you'll only have one or two users and if you don't trust them not to exploit system vulnerabilities, you've got bigger problems. 

 

In a domain with potentially thousands of users and potentially compromised accounts, this is a bigger issue. 

[Mark Kaine]

49 minutes ago, Oshino Shinobu said:

Is this for your home PC or are you in a domain environment? If it's your home PC, disabling the service is enough. Hell, I wouldn't even be worried about it much in a home environment as the exploit requires an authenticated user to run an RPC command

This is a home PC, that article didnt  make it clear to me how this exploit works and it sounded to me it affects  everyone potentially… 

And well, authentication can be faked i guess (i also have to look up whats RPC, probably some remote thing)

 

Edit: yep, RPC is off, but not "remote assistance"… probably should turn that off too…

[StDragon]

1 hour ago, leadeater said:

Side note for people that need to know the print spooler service on domain controllers is used to clean up published printers in AD so if you disable it, like you should have for this already, you either need to carry this task out manually or when there is a fix enable it again.

Good to know, I wasn't aware of that part.

I have no intention of removing shared printers from AD, but for now I'll just disable and stop the Spools service on Domain Controller (AD, Active Directory) until a path is released.

 

F&#**# spools service. I loath it so much!!!

[Rex Hite]

I operate a variety of printers of many different types so I have disabled the "Allow Print Spooler to accept client connections" for all my workstations as old as Windows 2000. Windows 10 Home edition needs to have the 'Group Policy Editor' added from an external source. A similar group policy editor is available for Win98 called 'Poledit' but has to be installed from the Win98 install CD because it is not installed by default. So that's all done. I am hopeful that is enough to prevent that kind of attack.

[Tieox]

I have a hatred for domestic budget printers. 

[Vishera]

22 hours ago, Murasaki said:

I'll never understand why this service is always running out of the box. If I don't have a printer installed, just don't run it Bigbrainsoft.

Even if no printer is connected to my PC,Windows will still give me the option to print.

And it will list all the printers that i have ever connected to my PC,so Windows is really dumb when it comes to handling printers.

[leadeater]

32 minutes ago, Vishera said:

Even if no printer is connected to my PC,Windows will still give me the option to print.

And it will list all the printers that i have ever connected to my PC,so Windows is really dumb when it comes to handling printers.

Well you still need it for print to file functions and also Windows just randomly forgetting printers because they are no longer attached, for any reason, is so much worse. It's on you to clean up your printers, while other people may actually want to know that their printer is Offline rather than just gone outright.

 

This behavior is no different on Mac OS or Linux, disconnecting printers isn't the same thing as removing it.

[Kilrah]

90% of the time when I print the printer I want to print to isn't currently available, it'll be once I turn it on or when I get back to the office. 

[StDragon]

Security Updates are now available and listed by KB toward the bottom of the page in the link below. Alternatively, you should be able to just check for Windows Updates, install, and reboot to take effect.

CVE-2021-34527 - Security Update Guide - Microsoft - Windows Print Spooler Remote Code Execution Vulnerability

 

Note: Updates seem to not be published yet for Server 2012 (non-R2) and Server 2016. Hopefully this changes within the next 24 hours.

Edited July 7, 2021 by StDragon

[Oshino Shinobu]

55 minutes ago, StDragon said:

Security Updates are now available and listed by KB toward the bottom of the page in the link below. Alternatively, you should be able to just check for Windows Updates, install, and reboot to take effect.

CVE-2021-34527 - Security Update Guide - Microsoft - Windows Print Spooler Remote Code Execution Vulnerability

 

Note: Updates seem to not be published yet for Server 2012 (non-R2) and Server 2016. Hopefully this changes within the next 24 hours.

Lol, was just about to post this, got the CVE revision notice through email earlier. 

 

Seems odd for them to not have published one for 2012. Will probably come later I guess. 

[StDragon]

1 minute ago, Oshino Shinobu said:

Lol, was just about to post this, got the CVE revision notice through email earlier. 

 

Seems odd for them to not have published one for 2012. Will probably come later I guess. 

I just attempted to manually install KB5004951 MSU file on Server 2008 R2, but it failed to commit changes and rolled back. 

Maybe that server is borked, I dunno. It needed to go a long time ago, but that's a very long story...but I digress.

[Oshino Shinobu]

2 minutes ago, StDragon said:

I just attempted to manually install KB5004951 MSU file on Server 2008 R2, but it failed to commit changes and rolled back. 

Maybe that server is borked, I dunno. It needed to go a long time ago, but that's a very long story...but I digress.

Do you have an ESU license? If not you won't be able to apply it on 2008, 2008 R2 or W7

 

EDIT: Or any security update since January 2020.