Its prime time to update your PC, as Microsoft on Tuesday announced an emergency patch fix to prevent the PC from a security bug called “PrintNightmare” that’s been recently detected. “PrintNightmare”, it is a critical vulnerability in all supported versions of Windows that is actively being exploited.
About the Security Patch
The announced and verified issue is, CVE-2021-34527, which involves a flaw in the Windows Print Spooler service that could be exploited by attackers to run code of their choice on a target’s system. Microsoft says it has already detected active exploitation of this vulnerability.
Satnam Narang, staff research engineer at Tenable, said Microsoft’s patch warrants urgent attention because of the vulnerability’s ubiquity across organizations and the prospect that attackers could exploit this flaw in order to take over a Windows domain controller.
He made a statement that-
“We expect it will only be a matter of time before it is more broadly incorporated into attacker toolkits. PrintNightmare will remain a valuable exploit for cybercriminals as long as there are unpatched systems out there, and as we know, unpatched vulnerabilities have a long shelf life for attackers.”
What this entire new fix includes?
Microsoft’s Security Response Center, in a recent blog post said it was delayed in developing fixes for the vulnerability in Windows Server 2016, Windows 10 version 1607, and Windows Server 2012. The fix also apparently includes a new feature that allows Windows administrators to implement stronger and more secured restrictions on the installation of printer software.
Microsoft’s support advisory said in a statement that-
“Prior to installing the July 6, 2021, and newer Windows Updates containing protections for CVE-2021-34527, the printer operators’ security group could install both signed and unsigned printer drivers on a printer server.”
Further adding they said that-
After installing such updates, delegated admin groups like printer operators can only install signed printer drivers. Administrator credentials will be required to install unsigned printer drivers on a printer server going forward.”
How to update, and where can the user find the fix update
Windows 10 users can check for the patch by opening the Windows Update section in the setting. Chances are that it will show that KB5004945 is available for download and install. A reboot will be required after installation.
Microsoft users yet to receive the security fix, better to disable manually
Users on a Windows machine that is yet to receive the security fix are recommended to manually disable the Print Spooler service or disable inbound remote printing. The Print Spooler can be disabled by passing the “Stop-Service -Name Spooler -Force” and “Set-Service -Name Spooler -StartupType Disabled” commands through PowerShell.
Inbound remote printing, can be disabled by going to Computer Configuration > Administrative Templates > Printers and switching off the Allow Print Spooler to accept client connections option. The user needs to restart the Print Spooler service for the change to take effect.
What the security researchers have to say about the fix?
Security researcher Benjamin Delpy posted on Twitter that the exploit still works on a fully patched Windows server if the server also has Point & Print enabled, a Windows feature that automatically downloads and installs available printer drivers.
Check the tweet here
Dealing with strings & filenames is hard😉
New function in #mimikatz 🥝to normalize filenames (bypassing checks by using UNC instead of \servershare format)
So a RCE (and LPE) with #printnightmare on a fully patched server, with Point & Print enabled
— 🥝 Benjamin Delpy (@gentilkiwi) July 7, 2021
Delpy said it’s common for organizations to enable Point & Print using group policies because it allows users to install printer updates without getting approval first from IT.