ZeroDay PrintNightmare vulnerability found

[StDragon]

Just now, Oshino Shinobu said:

Do you have an ESU license? If not you won't be able to apply it on 2008, 2008 R2 or W7

Good point. That's probably what it is. Though the server does support SHA2 signing. I would think prereqs would be checked by the MSU file before attempting to install. 

[Oshino Shinobu]

2 minutes ago, StDragon said:

Good point. That's probably what it is. Though the server does support SHA2 signing. I would think prereqs would be checked by the MSU file before attempting to install. 

Haha, you'd think wouldn't you? For some reason it applies and looks fine but then rolls back without a valid ESU or the most recent ESU update applied. Makes it a royal pain updating 100+ 2008 / R2 servers remotely as you have to go and actually make sure they installed the damn things.

[Oshino Shinobu]

Update for 2012 non R2's been published now. 

KB5004956 (Monthly Rollup)
KB5004960 (Security Only)

 

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527

[Mark Kaine]

36 minutes ago, Oshino Shinobu said:

Update for 2012 non R2's been published now. 

KB5004956 (Monthly Rollup)
KB5004960 (Security Only)

 

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527

Just a question to see if i understand  how these patches work…

So? Theres an update for my version, 1809* , but would it actually  let me install that, or not?

Would be cool, it says it gets rid of flash too, i dont need it, i never liked it…

 

*actually, its not "exactly" my version… the last numbers are different 

[Oshino Shinobu]

1 minute ago, Mark Kaine said:

Just a question to see if i understand  how these patches work…

So? Theres an update for my version 1809 , but would it actually  let me install that, or not?

Would be cool, it says it gets rid of flash too, i dont need it, i never liked it…

 

 

Yes, it will let you install it. Just check for updates via WIndows Update and it will pull it and install it. 

[StDragon]

47 minutes ago, Oshino Shinobu said:

Update for 2012 non R2's been published now. 

KB5004956 (Monthly Rollup)
KB5004960 (Security Only)

 

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527

As well as 2016 now too.

[DexterSmythe]

Looks like the Windows 11 Dev Channel is still waiting on a patch. Hopefully one rolls out soon.

[Oshino Shinobu]

19 minutes ago, DexterSmythe said:

Looks like the Windows 11 Dev Channel is still waiting on a patch. Hopefully one rolls out soon.

Honestly wouldn't be surprised if the 21H1 W10 update would work on W11. 

 

That said, the updates don't actually fix the issue, it just makes it less likely to be exploited. It changes it so non-admins can only install trusted signed drivers, while an administrator account can still exploit the vulnerability, though really as it requires authentication, I'd say you have bigger problems if you have a compromised administrator account. 

 

In server environments, the best course of action is to disable the print spooler on any server that doesn't need it, which is basically everything but print servers and domain controllers, as well as RDS servers that publish apps that need printing.

 

EDIT: Added @leadeater's addition.

[leadeater]

1 minute ago, Oshino Shinobu said:

In server environments, the best course of action is to disable the print spooler on any server that doesn't need it, which is basically everything but print servers and domain controllers. 

Chuck in RDS servers that publish apps that need printing too

[hishnash]

One of the scary aspects of this is in corporate environments were there is a shared printing/scanner photocopyier stations it is not uncommon for these scanners to somehow be able to `scan to the users desktop` (this means that if the server that controllers this unit is compromised it is also able to write data to any users hard-drive on the corporate network.. A company I used to work for got hacked in this way were a intruder exploited the photocopier to then add payload that spread to a users machine leading to IP theft).

[StDragon]

6 minutes ago, hishnash said:

One of the scary aspects of this is in corporate environments were there is a shared printing/scanner photocopyier stations it is not uncommon for these scanners to somehow be able to `scan to the users desktop` (this means that if the server that controllers this unit is compromised it is also able to write data to any users hard-drive on the corporate network.. A company I used to work for got hacked in this way were a intruder exploited the photocopier to then add payload that spread to a users machine leading to IP theft).

The driver on the desktop had to allow that via API from the MFP to the PC. Anyways, it's more hassle than it's worth. Just program the MFP to scan to a specific folder or set of folders (SMB share on server or NAS) based on scan profiles on the MFP console, or program the address book to scan to email via SMTP over TLS 1.2 or higher.

 

Oh, and change the default password on the MFP. Surprisingly this is rarely done within small organizations.

Edited July 7, 2021 by StDragon

[leadeater]

41 minutes ago, StDragon said:

Oh, and change the default password on the MFP. Surprisingly this is rarely done within small organizations.

haha so true, I know for almost any business I walk in to I could gain admin access to the MFP as those are never changed.

 

42 minutes ago, StDragon said:

or program the address book to scan to email via SMTP over TLS 1.2 or higher.

For general user document scanning to file I much prefer this method. For more dedicated applications like bulk record digitization then scan to SMB makes sense, or similar specific things.

[IWolfieI]

Well seems it's still possible to exploit even after the patch.
https://arstechnica.com/gadgets/2021/07/microsofts-emergency-patch-fails-to-fix-critical-printnightmare-vulnerability/

[Rauten]

1 hour ago, IWolfieI said:

Well seems it's still possible to exploit even after the patch.
https://arstechnica.com/gadgets/2021/07/microsofts-emergency-patch-fails-to-fix-critical-printnightmare-vulnerability/

According to the security folks at my company, this is related to the patch MS released on Tuesday, but there's a newer one they released yesterday.

Kinda feels like an arms race...

[Sir Asvald]

The Exchange nonsense and now this, great more stuff I need to work on. Thanks a lot MicroShit.

[StDragon]

Per Microsoft.

"In order to secure your system, you must confirm that the following registry settings are set to 0 (zero) or are not defined (Note: These registry keys do not exist by default, and therefore are already at the secure setting.):

• HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint
• NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default setting)
• NoWarningNoElevationOnUpdate = 0 (DWORD) or not defined (default setting)

Having NoWarningNoElevationOnInstall set to 1 makes your system vulnerable by design."

[Jtalk4456]

On 7/2/2021 at 2:43 PM, Mark Kaine said:

Whats "AD"? Should i worry about this? I never print anything on my pc…

I didn't see anyone answer this for you, if I missed it, just ignore this. 
AD is Active Directory. For a quick google definition:
Active Directory (AD) is a database and set of services that connect users with the network resources they need to get their work done. The database (or directory) contains critical information about your environment, including what users and computers there are and who's allowed to do what.

for a helpful visual

Spoiler

 

 

 

 

[Mark Kaine]

1 hour ago, Jtalk4456 said:

I didn't see anyone answer this for you, if I missed it, just ignore this. 
AD is Active Directory. For a quick google definition:
Active Directory (AD) is a database and set of services that connect users with the network resources they need to get their work done. The database (or directory) contains critical information about your environment, including what users and computers there are and who's allowed to do what.

for a helpful visual

  Hide contents

 

 

 

 

 

 

 

They told me what it stands for, but not what it is, so thanks.

 

Should be a printer in the middle in the last schematic, who controls it all!?

[Jtalk4456]

3 minutes ago, Mark Kaine said:

They told me what it stands for, but not what it is, so thanks.

 

Should be a printer in the middle in the last schematic, who controls it all!?

yeah it's from google, printer wouldn't be controlling, rather a resource to be managed, not sure why they put the printer in the middle

[StDragon]

21 minutes ago, Mark Kaine said:

They told me what it stands for, but not what it is, so thanks.

 

Should be a printer in the middle in the last schematic, who controls it all!?

Active Directory is used within a Windows Domain Controller server; the two are interchangeable when talking about either one of them.

 

Anyways. You can have multiple Windows Servers within a network. Best-practice is that you have a separate Windows File Server that might double as hosting shared printers as well. But sometimes in much smaller networks, you have a Windows Server that's doing all three; hosting AD, Files, and sharing printers.

 

The bad part if your Domain Controller (Windows Server) is sharing out a printer and remains unpatched, a hacker could effectively take over the entire Domain Controller, and by extension, take over the entire network's member servers too as they're subordinate from a security membership perspective. That's why it's *critical* that AD/DC servers are patched ASAP!

 

[Mark Kaine]

11 minutes ago, Jtalk4456 said:

yeah it's from google, printer wouldn't be controlling, rather a resource to be managed, not sure why they put the printer in the middle

It was a joke, because as we learned, the printer is often the weakest point in the chain

 

(which is kinda weird because something like a printer shouldnt be able to get access/control to sensitive data, should only go in the opposite direction, but if things were designed smarter, we wouldn't have all these hacks and leaks I guess) 

 

 

[Radium_Angel]

Too many Zebra printers affected.

Guess which gov't agency relies on Zebra printers?

 

Yeah...mine.

[Forbidden Wafer]

Question: what happened with virtualization based security, TPM, disk encryption and all other nonsense Microsoft said would protect everyone? Assuming this is wreaking havoc exactly on businesses that have all that stuff enabled.

[StDragon]

1 hour ago, Forbidden Wafer said:

Question: what happened with virtualization based security, TPM, disk encryption and all other nonsense Microsoft said would protect everyone? Assuming this is wreaking havoc exactly on businesses that have all that stuff enabled.

I'm not sure VBS would have prevented this. It really depends on how the code is exploited.

 

Secondly, VBS requires Windows 10, Server 2016, and Server 2019 along with a CPU that supports Intel's MBEC or AMD's GMET instruction set for recommended performance.

TPM and BitLocker (drive encryption) wouldn't have helped as that technology isn't applicable to this specific issue at hand.

[StDragon]

@Forbidden Wafer

If you want to learn more of the underlaying hardware technologies being used to harden the security of the OS, see the links below.

 

• System Management Mode (SMM)
• Intel Hardware Shield (additional white papers in the link)
• AMD PRO Security (white paper in link)

For Windows 10, enabling these features is optional. Windows 11 will make many of them mandatory; hence the need 8th gen Intel (maybe 7th gen) and Zen+ CPUs to meet the requirements.

Windows 11 isn't about performance. It's about raising the bar in minimum HW security being required.