Although it seemed that the protagonist of July, in cybersecurity, it would be Kaseya, now it seems that she will have to share space with PrintNightmare, a critical vulnerability located in the Windows print queue. The US CISA (Cybersecurity & Infrastructure Security Agency) issued a statement in which it reported on it, and since then it has not stopped circulating information about it. Information that, on occasion, may even seem contradictory to each other.

And this is normal, of course, since Throughout the days new inquiries have been made, which have caused the assessment of the danger of PrintNightmare to have increased considerably, to the point that we have even seen how, after assigning an initial CVE, a second identifier has had to be used that broadens the definition of this threat, which that has generated even more confusion for many users. So we are going to try to bring a bit of order to an issue that deserves our full attention.

PrintNightmare Timeline

Begining of June, on the 8th, Microsoft published CVE-2021-1675, entitled “Windows Print Spooler Remote Code Execution Vulnerability”, that is, Remote Code Execution Vulnerability in Windows Print Manager. Nothing made us think, at the time, that its significance was going to escalate to the current point. At the time, it seemed like a minor threat, one that had been identified before being exploited and that could be easily addressed. So there was no reason to worry.

Everything changes, however, with the change of month. As I indicated before, the main security agencies in the world began to issue statements in which they alerted about an important update of CVE-2021-1675. Messages urging users and public and private organizations to immediately adopt measures to protect themselves from this threat. In that same temporal space, Microsoft published the vulnerability CVE-2021-34527, which is the nickname of PrintNightmare.

Unlike CVE-2021-1675, which received a high risk rating, PrintNightmare earned its critical vulnerability rating from the outset, as it allows remote code execution. Since then, there have been several updates, and Microsoft has been working around the clock on this issue. Meanwhile, waiting for a definitive solution, we have also been able to read several recommendations to mitigate your risks.

What is PrintNightmare?

The problem lies in a Windows print queue function, specifically in RpAddPrinterDriverEx () which, as its name suggests, allows the installation of a new printer on the system. And, although it should be done, the print manager does not restrict access to it, so any authenticated user, whether locally or remotely, can use it.

And what is the problem that a user can remotely install a printer? What makes PrintNightmare so dangerous? Surely you have already figured it out: when I talk about installing a printer I mean its driver, that an administrator can install even if unsigned and that, as you can imagine, can contain any malicious function. In this way, an attacker who gains access to a system and uses RpAddPrinterDriverEx () to execute malicious code can escalate privileges, send payloads to the compromised system, and even take complete control of it.

The print manager is a component present in all versions of Windows, so Microsoft indicates that any installation of its operating system is liable to be attacked using PrintNightmare. Therefore, whatever your version of Windows is, in principle your system is exposed to PrintNightmare and, therefore, you must take measures to protect yourself. The problem is that it is not as simple as it should be.

How to protect yourself from PrintNightmare?

Here we come to the mother of the lamb, and it is not as simple or as direct as one might expect. And yes, you may have read that there is already a Microsoft patch to fix it, but the truth is that it is not effective.

But before going into this, we must remember what I was saying at the beginning, and distinguish between CVE-2021-1675 and CVE-2021-34527. For the first, Microsoft already published solutions that mitigated the specific risks of said vulnerability. However, those patches do not fix the problem associated with CVE-2021-34527.

On the other hand, Microsoft yesterday published patches for PrintNightmare for different versions of Windows, including some that are officially no longer supported. They are as follows:

The bad news is that, shortly after its publication, the networks began to be populated with messages stating that the official patch is incomplete and therefore PrintNightmare persists after its application. With the added risk of a false sense of security, of course, since many users might consider that they are already protected, when in fact they are still exposed.

Worse still, oPatch had published an unofficial patch that had been shown to be effective against PrintNightmare, but Microsoft’s official patch application mitigates the effect of the one developed by 0patch, making the system vulnerable again to an attack based on this security issue:

Microsoft has stated that is studying the messages about the patch problemTherefore, we understand that a new version will be published shortly, in which the deficiencies found in the first version will be corrected.

In the meantime, the recommendations go through not allowing automatic Windows update if the opatch patch is being used, because with the protection that it offers it is already enough. Another possibility is to disable printing services that you do not need on each system. For example, servers, unless they are printing servers, for security reasons should have these services disabled. And as for the endpoints, exactly the same, to minimize the active services related to printing, especially if we talk about systems from which you never print.

To check the current status of the spooler service, we will have to open a PowerShell console and type Get-Service -Name Spooler on the command line. As a result we will obtain the current state of it. ANDIn case the service is shown off or disabled we will not have to worry, since the PrintNightmare door remains closed on that system. In the event that the service is active, there are two possibilities, as long as we are not talking about a print server, in which case these measures may not be applied, since the service will stop working.

The first is undoubtedly the most drastic, and We can only use it if we never print from that system. In the same Powershell console that we use to check the status of the service, we will have to write the following commands:

Stop-Service -Name Spooler -Force

Set-Service -Name Spooler -StartupType Disabled

The former will immediately stop the Windows print service, while the latter will modify its settings so that it does not load again after rebooting the system. When Microsoft released a patch that definitively fixes PrintNightmare, you can reactivate it with this command;

Set-Service -Name Spooler -StartupType Enabled

In this way, after restarting the system, you will be able to print normally from that system.

The second method is to disable only the print server role of the system. This will continue to print from it, but it will no longer have the print server role for other computers and devices on the network. For this you will have to access the Local Group Policy Editor and, in it, navigate to Local Computer Policy> Computer Configuration> Administrative Templates> Printers, and look there for the entrance Allow Print Job Manager to Accept Client Connections.

Then double click on it and check its status, which must be Disabled to prevent the risks of PrintNightmare. Thus, if it is in Not configured or enabled, change this value and reboot the system.

I have already installed the Microsoft patch for PrintNightmare

It is possible that, when you read this, you have already installed the official Microsoft patch, or there is even the possibility that this action has been carried out automatically. The problem is, per se, it doesn’t solve the PrintNightmare problem. In this case you will have to carry out a change in the Windows settings registry. The fastest way to do this is to open a console (Command Prompt) and type the following command:

“HKEY_LOCAL_MACHINE Software Policies Microsoft Windows NT Printers PointAndPrint” / v RestrictDriverInstallationToAdministrators / t REG_DWORD / d 1 / f

Transcribe it exactly as it is shown, including quotes or, if you are going to do it on the computer where you are reading this, you can copy & paste. Keep in mind that, although it is split due to its length, it is a single command. This will prevent unsigned printer drivers from being installed even by accounts with system administrator privileges, which is precisely what PrintNightmare takes advantage of.

With this I will already be sure?

In principle, these measures should already offer the necessary level of security, although it is true that we will still have to wait for Microsoft to publish a definitive solution, either as an independent patch or within the Tuesday patch next week. Additionally, and very important, it must be taken into account that these solutions prevent attacks from your application, but they do not solve problems that may have occurred previously, so After patching PrintNightmare, proceed to perform a security check on the systems that may have been affected, that is to say, practically any system with Windows.