"PrintNightmare" Windows Print Spooler vulnerability being actively exploited

Forums › IT Pro and developers › "PrintNightmare" Windows Print Spooler vulnerability being actively exploited

clinty

1201 posts

Uber Geek
+1 received by user: 402

Lifetime subscriber

#288491 3-Jul-2021 15:36

not only the Kaseya attack to worry about this weekend

https://www.windowscentral.com/windows-printnightmare-vulnerability-being-actively-exploited-according-microsoft

A print spooler vulnerability PoC was accidently published before MS could patch it - MS recommends turning off Print Spooler in Servers that do not require it, until a patch is released

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527

A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations," says the company. "An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."

Clint

1 | 2

7345 posts

Uber Geek
+1 received by user: 2117

ID Verified

#2740587 7-Jul-2021 14:33

We back in Biz as of a few hours ago

https://www.catalog.update.microsoft.com/Search.aspx?q=KB5004945

Dynamic

4015 posts

Uber Geek
+1 received by user: 1851

ID Verified

Trusted

Lifetime subscriber

#2740603 7-Jul-2021 15:03

Fantastic, thank you @Oblivian.

A direct link to more information about the fix (Win 10 specific link).... https://support.microsoft.com/en-us/topic/july-6-2021-kb5004950-os-build-10240-18969-out-of-band-7f900b36-b3cb-4f5e-8eca-107cc0d91c50

“Don't believe anything you read on the net. Except this. Well, including this, I suppose.” Douglas Adams

billgates

4705 posts

Uber Geek
+1 received by user: 671

Trusted

#2740657 7-Jul-2021 15:22

Long story short, the patch released by MS few hours ago only fixes 1 of 2 ways of exploiting the vulnerability. At this stage disabling incoming remote printer connection, then restarting the print spooler is one method or disable the printer spooler is second method. I would recommend applying the the 1st method followed by 2nd method for good record. Domain controllers do not and should not require any form of printing be it even printing to file type of reports.

Do whatever you want to do man.

Oblivian

7345 posts

Uber Geek
+1 received by user: 2117

ID Verified

#2740939 8-Jul-2021 09:48

Get's better and better

So confirmed that it's only patching the Remote Execution portion. Already modified exploits to avoid it.

And applying the 'fix' breaks Zebra label printers. Zebras line 'rollback the update'

clinty

1201 posts

Uber Geek
+1 received by user: 402

Lifetime subscriber

#2741772 9-Jul-2021 10:56

... and breaks some older, crappy receipt printers as well ( client had PRP-88iii stop working after the patch was installed )

Clint

1101

3141 posts

Uber Geek
+1 received by user: 1143

#2741778 9-Jul-2021 10:59

Oblivian:

And applying the 'fix' breaks Zebra label printers. Zebras line 'rollback the update'

the patch WILL be included in the next windows update. And in subsequent update rollups ?
You are going to have an ongoing monthly battle I'll guess

I installed it on a WIn10 PC . Then had weird Outlook (signature) memory low warnings
So dammed if you do, dammed if you dont

Plenty of shared Zebra printers being used by old apps . I hope that Zebra issue was just a one off .

Lenovo

Shop now for Lenovo laptops and other devices (affiliate link).

Kraven

738 posts

Ultimate Geek
+1 received by user: 190

#2741797 9-Jul-2021 11:25

Only seems to affect Zebra printers directly connected to a PC. If connecting via an IP printer server they work fine.

Oblivian

7345 posts

Uber Geek
+1 received by user: 2117

ID Verified

#2741803 9-Jul-2021 11:31

1101:

the patch WILL be included in the next windows update. And in subsequent update rollups ?
You are going to have an ongoing monthly battle I'll guess

I installed it on a WIn10 PC . Then had weird Outlook (signature) memory low warnings
So dammed if you do, dammed if you dont

Plenty of shared Zebra printers being used by old apps . I hope that Zebra issue was just a one off .

I've already had it deployed automatically as an urgent requirement on internet before corp has pushed it out. So they've flagged it as a must-have.

The update is a rollup. So it's not just the printer fix, but cumulative other previous ones (and more) also. Other issues may stem if you are a bit behind on them.

The major change is signed drivers are required on print servers. And a change of user group of who can install new drivers.

Client level, it also requires signed drivers. Which manufacturers should all have. But it seems Zebra has an exception of sorts in their chain and don't fully qualify currently so they're being blocked or similar. It's a 'watch this space' scenario. But in the intrim basically saying leave your devices unprotected if you want to use our printers.

jaymz

1136 posts

Uber Geek
+1 received by user: 76

#2741872 9-Jul-2021 14:55

Reading all the information, there appears to be only two ways of mitigating the issue:

1. Disable the Print Spooler service

2. Install 0Patches micro update: https://blog.0patch.com/2021/07/free-micropatches-for-printnightmare.html

1101

3141 posts

Uber Geek
+1 received by user: 1143

#2741891 9-Jul-2021 15:29

Is this one of the vulnerabilities where the hacker first needs to be on the network

ie , hacker needs to be able to access a network PC .
If hackers gained access to a Workstation youre in serious trouble regardless .

Dynamic

4015 posts

Uber Geek
+1 received by user: 1851

ID Verified

Trusted

Lifetime subscriber

#2741897 9-Jul-2021 15:39

1101:

Is this one of the vulnerabilities where the hacker first needs to be on the network

Yes, it is. Once someone unauthorised is on your network, this vulnerability allows them to potentially give themselves admin rights.

“Don't believe anything you read on the net. Except this. Well, including this, I suppose.” Douglas Adams

Samsung

Shop now on Samsung phones, tablets, TVs and more (affiliate link).

Oblivian

7345 posts

Uber Geek
+1 received by user: 2117

ID Verified

#2741898 9-Jul-2021 15:43

Mostly. But Not if you have a badly configured internet facing server with spooler open and a stupid print from web set-up.

Which is why part of restrictions is to turn it off on anything but print server and close down to internal network with authorised devices only.

nztim

4012 posts

Uber Geek
+1 received by user: 2710

ID Verified

Trusted

TEAMnetwork

Subscriber

#2741972 9-Jul-2021 19:05

billgates: Domain controllers do not and should not require any form of printing be it even printing to file type of reports.

I shudder to think how many small SBS2011 customers there are still out there, or even just small site, single server DC/File/Print

Any views expressed on these forums are my own and don't necessarily reflect those of my employer.

clinty

1201 posts

Uber Geek
+1 received by user: 402

Lifetime subscriber

#2741987 9-Jul-2021 21:06

nztim:

billgates: Domain controllers do not and should not require any form of printing be it even printing to file type of reports.

I shudder to think how many small SBS2011 customers there are still out there, or even just small site, single server DC/File/Print

Unfortunately most of my clients fit this model in one form or another - just based around their size. And generally printing used to be something that was not really a vector, so we could setup one PC to act as a print server, allows for easy management

Have spent a bit of time this week figuring out which sites topology can be changed and/or patched without the natives going berserk :(

Clint

Oblivian

7345 posts

Uber Geek
+1 received by user: 2117

ID Verified

#2744286 14-Jul-2021 21:36

No sooner do they patch it, patch Tuesday comes along with what should have gone out

Updates an issue that might make printing to certain printers difficult. This issue affects various brands and models, but primarily receipt or label printers that connect using a USB port.

1 | 2