Windows Print Spooler Remote Code Execution Vulnerability – 2021/Summer

Background

It is time to take a quick look at the recently disclosed security vulnerabilities that affect the Microsoft Print Spooler Service.

 

Vulnerabilities

  1. Windows Print Spooler Remote Code Execution Vulnerability
    CVE-2021-1675
    Vulnerability Type:- Privilege Escalation
    Released:- Jun 8, 2021
    Last updated:- Jul 2, 2021
    https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1675
  2. Windows Print Spooler Remote Code Execution Vulnerability
    CVE-2021-34527
    Vulnerability Type:- Remote Code Execution
    Released:- Jul 1, 2021
    Last updated:- Jul 8, 2021
    https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527

 

Exploit

Kaspersky

Link

CVE-2021-34527

When using RPC protocols to add a new printer ( RpcAsyncAddPrinterDriver [MS-PAR] or RpcAddPrinterDriverEx [MS-RPRN]) a client has to provide multiple parameters to the Print Spooler service:

  1. pDataFile – a path to a data file for this printer
  2. pConfigFile – a path to a configuration file for this printer
  3. pDriverPath – a path to a driver file that’s used by this printer while it’s working

The service makes several checks to ensure pDataFile and pDriverPath are not UNC paths, but there is no corresponding check for pConfigFile, meaning the service will copy the configuration DLL to the folder %SYSTEMROOT%system32spooldriversx643 (on x64 versions of the OS).

Now, if the Windows Print Spooler service tries to add a printer again, but this time sets pDataFile to the copied DLL path (from the previous step), the print service will load this DLL because its path is not a UNC path, and the check will be successfully passed. These methods can be used by a low-privileged account, and the DLL is loaded by the NT AUTHORITY\SYSTEM group process.

 

CVE-2021-1675

The local version of PrintNightmare uses the same method for exploitation as CVE-2021-34527, but there’s a difference in the entrypoint function (AddPrinterDriverEx). This means an attacker can place a malicious DLL in any locally accessible directory to run the exploit.

 

TroubleShooting

Review Installed Updates

Outline

  1. wmi
    • wmic

wmi

wmic

Outline

Display results as a table

Syntax

wmic qfe list

Sample

wmic qfe list
Output
Output – Text
 


wmic qfe list
Caption                                     CSName           Description      FixComments  HotFixID   InstallDate  InstalledBy          InstalledOn  

http://support.microsoft.com/?kbid=5003254  [computer]       Update                        KB5003254               NT AUTHORITY\SYSTEM  6/16/2021                                   

https://support.microsoft.com/help/4562830  [computer]       Update                        KB4562830               NT AUTHORITY\SYSTEM  3/23/2021                                   

https://support.microsoft.com/help/4577586  [computer]       Update                        KB4577586               NT AUTHORITY\SYSTEM  3/25/2021                                   

https://support.microsoft.com/help/4580325  [computer]       Security Update               KB4580325               NT AUTHORITY\SYSTEM  3/24/2021                                   

https://support.microsoft.com/help/4589212  [computer]       Update                        KB4589212               NT AUTHORITY\SYSTEM  3/25/2021                                   
                               

Outline

Display results as text

Syntax

wmic qfe list /format:list

Sample

wmic qfe list /format:list

Output
Output – Text

Caption=http://support.microsoft.com/?kbid=5003254
CSName=[computer]
Description=Update
FixComments=
HotFixID=KB5003254
InstallDate=
InstalledBy=NT AUTHORITY\SYSTEM
InstalledOn=6/16/2021
Name=
ServicePackInEffect=
Status=


Caption=https://support.microsoft.com/help/4562830
CSName=[computer]
Description=Update
FixComments=
HotFixID=KB4562830
InstallDate=
InstalledBy=NT AUTHORITY\SYSTEM
InstalledOn=3/23/2021
Name=
ServicePackInEffect=
Status=


Caption=https://support.microsoft.com/help/4577586
CSName=[computer]
Description=Update
FixComments=
HotFixID=KB4577586
InstallDate=
InstalledBy=NT AUTHORITY\SYSTEM
InstalledOn=3/25/2021
Name=
ServicePackInEffect=
Status=


Caption=https://support.microsoft.com/help/4580325
CSName=[computer]
Description=Security Update
FixComments=
HotFixID=KB4580325
InstallDate=
InstalledBy=NT AUTHORITY\SYSTEM
InstalledOn=3/24/2021
Name=
ServicePackInEffect=
Status=


Caption=https://support.microsoft.com/help/4589212
CSName=[computer]
Description=Update
FixComments=
HotFixID=KB4589212
InstallDate=
InstalledBy=NT AUTHORITY\SYSTEM
InstalledOn=3/25/2021
Name=
ServicePackInEffect=
Status=





Remediation

Microsoft

Windows Updates

Outline

Please access “Windows Updates” and install the latest updates for your specific OS Version.

  1. Access Control Panel
  2. Select Programs and Features \ Installed Updates

ScreenShot

Text

  1. 2021-07 Cumulative Update for Windows 10 Version 20H2 for x64-based Systems ( KB5004945 )
    • Status:- Pending Restart
  2. Windows 10 Version 21H1 for x64-based Systems ( KB5004945 )
    • The next version of Windows is available with new features and security improvements.
    • When you are ready for the update, select “Download and Install”

Explanation

In our case, we restarted our computer to complete the 2021-July cumulative update.

 

Security Steps

Outline

Here are some steps to take to further your security protection

  1. Services
    • Services – Print Spooler
  2. Specific Computer
    • Disallow Print Spooler Remote RPC Endpoint
  3. Group Policy
    • Group Policy – Print Spooler

Services – Print Spooler

If you do not need to print to a printer nor to printing devices such as pdf, please consider disabling the “Printer Spooler” Service.

Outline
  1. GUI
    • Launch services applet
    • Access the “Print Spooler”
      • Right Click on your selection ( Print Spooler )
        • Stop the Service
        • Disable the Service
Images
Image – GUI – Print Spooler – Running

Image – GUI – Print Spooler – Disabled

Image – GUI – Print Spooler – Disabled and Stopped

Side Effect

Upon disabling the “Print Spooler service”, you will no longer be able to access the Print Dialog.

When you attempt to print from an application, you will receive the message pasted below:-

Before you can perform printer-related tasks such as page setup or printing a document, you need to install a printer.
Do you want to install a printer now?

Images
Image – Before you can perform printer-related

 

Specific Computer – Disallow Print Spooler Remote RPC Endpoint

If your computer is not acting as a print server, please consider disabling the ability for other computers to print through it.

Outline
  1. Disallow Print Spool from accepting Client Connections
    • Unconfigured or Enabled
      • When the policy is unconfigured or enabled, the spooler will accept client connections.
    • Disabled
      • When the policy is disabled, the spooler will not accept client connections nor allow users to share printers.
      • All printers currently shared will continue to be shared.
  2. The Setting
    • Branch:- HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers
    • Item:- RegisterSpoolerRemoteRpcEndPoint
    • Value:- 2
  3. Options
    • Regedit
    • DOS
      • Reg Query
      • Reg add
Regedit
Images
Image – RegisterSpoolerRemoteRpcEndPoint – Not Set

Image – RegisterSpoolerRemoteRpcEndPoint – Disabled

 

 

Dos – Dos RegQuery ( Pre Change )
Syntax

reg query [keyname] /s

 

Sample

reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers" /s

 

Output – Image

Output – Text

ERROR: The system was unable to find the specified registry key or value.

 

Dos – Dos RegAdd
Syntax

reg add [KeyName] /v [ValueName] /t [Type] /d [Data] /f

 

Sample

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers" /v RegisterSpoolerRemoteRpcEndPoint /t REG_DWORD /d 2

 

Output – Image

Output – Text

The operation completed successfully.

 

Dos – Dos RegQuery ( Post Change )
Syntax

reg query [key-name] /s

 

Sample

reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers" /s

 

Output – Image

Output – Text

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers
RegisterSpoolerRemoteRpcEndPoint REG_DWORD 0x2

 

Summary

Preventing the Print Spooler from accepting client connections allows one to continue to print locally to an attached device.

Yet, it prevents others from accessing the print spoolers.

Group Policy – Print Spooler

If your workstations are in their own Active Directory Organization Unit ( OU), please consider disabling print spooler functionality to unneeded OUs.

Outline
  1. Launch Group Policy
  2. Go to Computer Configuration/Administrative Templates/Printers
  3. Disable the setting to “Allow Print Spooler to accept client connections”
Images
Images – Group Policy Object Editor – Default Domain Policy – Computer Configuration – Administrative Templates – Printers – Allow Printer to accept client Connections – Not Configured

Images – Group Policy Object Editor – Default Domain Policy – Computer Configuration – Administrative Templates – Printers – Allow Printer to accept client Connections – Disabled

 

References

  1. Microsoft
    • MSRC > Customer Guidance > Security Update Guide > Vulnerabilities
      • CVE-2021-1675
        Link
      • CVE-2021-34527
        Link
    • Support
      • KB5005010: Restricting installation of new printer drivers after applying the July 6, 2021 updates
        Link
      • July 6, 2021—KB5004945 (OS Builds 19041.1083, 19042.1083, and 19043.1083) Out-of-band
        Link
  2. Kaspersky
    • A Windows Print Spooler vulnerability called PrintNightmare
      Link
  3. SECURELIST by Kaspersky
    • Quick look at CVE-2021-1675 & CVE-2021-34527 (aka PrintNightmare)
      Link
  4. Ars Technica
    • Dan Goodin
      • Microsoft’s emergency patch fails to fix critical “PrintNightmare” vulnerability
        Link
  5. OnMSFT
    • Laurent Giret
      • Microsoft claims its “PrintNightmare” fix is working but acknowledges issues with select printers
        Link
  6. Tech Republic
    • Lance Whitney
      • Critical flaws in Windows Print spooler service could allow for remote attacks
        Link
  7. The Verge
    • Richard Lawler
      • The Windows update to fix ‘PrintNightmare’ made some printers stop working
        Link
  8. Group Policy Administrative Templates ( admx.help )
    • Allow Print Spooler to accept client connections
      Link
  9. Jason R. Beer
    • GitHub
      • PublicPowerShellScripts/Remediate-PrintNightmare.ps1
        Link
  10. How-To Geek
    • Ben J. Edwards
      • How to See the Most Recent Updates Windows 10 Installed
        Link

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s