Microsoft began rolling out a mandatory security patch for most supported Windows versions yesterday to fix the PrintNightmare vulnerability – a critical issue present in the Windows Print Spooler service tracked under CVE-2021-34527 that when exploited could allow for both remote code execution (RCE) and local privilege escalation (LPE). While yesterday’s update fixed the RCE exploit, the changelog did not mention any fixes for the LPE component.
Now, security researchers have begun reporting that the patch released yesterday can be bypassed, as it does not fix the problem with the Point and Print policy in Windows – which the firm initially said was not directly related –, which can still be used to perform RCE and LPE. Researchers and experts tweeted proof of concepts (spotted by BleepingComputer) running on fully patched systems, showing off how the patch could be completely bypassed to perform LPE. This was corroborated by another researcher from CERT, Will Dormann.
Dealing with strings & filenames is hard😉
— 🥝 Benjamin Delpy (@gentilkiwi) July 7, 2021
New function in #mimikatz 🥝to normalize filenames (bypassing checks by using UNC instead of \\server\share format)
So a RCE (and LPE) with #printnightmare on a fully patched server, with Point & Print enabled
> https://t.co/Wzb5GAfWfd pic.twitter.com/HTDf004N7r
Considering that the zero-day vulnerability and its possible exploits have been widely shared in the wild, systems that have the Print Spooler service running might be at active risk of being compromised, especially those in enterprise setups that use the functions to remotely install printer drivers and updates. For now, though, the original workarounds of disabling the Print Spooler service or blocking inbound remote printing through Group Policy might be the best option to mitigate potential threats. While the changes do impact printing functionality, it is a faster fix and negates the need for admins to provision ineffective patches for their organization’s systems.
You can follow these steps to disable the Print Spooler service through PowerShell:
- Open PowerShell as Administrator
- Stop-Service -Name Spooler -Force
- Set-Service -Name Spooler -StartupType Disabled
Alternatively, you can inbound remote printing through Group Policy via group policy using the following steps:
- Open the Group Policy Editor
- Head to Computer Configuration / Administrative Templates / Printers
- Disable the “Allow Print Spooler to accept client connections:” policy
Currently, there is no word from Microsoft about the researchers’ findings, but it will not be surprising to know that the firm is already working on a patch for addressing the issues. It might help to also keep an eye out for updates on the MSRC page tracking the vulnerability.
Update: Microsoft has updated the MSRC listing noting that it is rolling out patches for Windows Server 2012, Windows Server 2016, and Windows 10, Version 1607. The firm adds that in order to secure the system, users "must confirm that the following registry settings are set to 0 or are not defined".
- HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint
- NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default setting)
- NoWarningNoElevationOnUpdate = 0 (DWORD) or not defined (default setting)
Interestingly, CERT researcher Dormann claims that the "NoWarningNoElevationOnInstall = 0 does NOT prevent exploitation". The firm is yet to address the reports from other security research firms as well.