Impact on PaperCut Software due to Print Nightmare vulnerabilities
“Print Nightmare” is a bug in the Windows spooler service that under some circumstances can result in an attacker being able to remotely run code on a Microsoft Windows system as the local SYSTEM user. Generally this (and subsequent patches and fixes from Microsoft) has been referred to as ‘PrintNightmare’ - but also gets mentioned as CVE-2021–1675, CVE-2021–34527 and CVE-2021–34481.
You should read the advisory from Microsoft (updated with security patch information on July 6, 2021).
It is important to note that the attacker needs to be authenticated against the remote system for the attack to be possible.
Please patch your systems!
Microsoft has released multiple patches and fixes surrounding these vulnerabilities. They are available via Windows Update or from the links on the Advisory. PaperCut strongly recommends that you apply the patch to all Microsoft Windows systems prioritizing systems that have the Microsoft Windows print spooler service exposed to your network.
PaperCut strongly recommends that you read the Microsoft Advisory for yourself to understand the impact of and scope of the recommended work-arounds and mitigations. We recommend each customer evaluate that risk for themselves and if appropriate consider the mitigations approaches set out in this article. We strongly recommend that you patch any system that needs to expose the Microsoft Windows print spooler to the network as a priority.
Based on the 6th July 2021 update( version 2.0) to the Microsoft advisory PaperCut believes the following work-arounds and configurations form a reasonable balance between security and maintaining the ability to print. As always organisations should evaluate this internally and with respect to their own risk management procedures:
- Ensure that any Microsoft Windows Print Servers are isolated from the internet ( e.g. accessible only from your internal network)
- Not using a Domain Controller as a Print Server.
- Patch all print servers with the patches in the Microsoft Advisory.
- Disabling the Spooler Service on any member server or client that doesn’t need to print.
- Setting the “Allow Print Spooler to accept client connections:” group policy to disabled on systems that don’t need to accept print jobs from other systems.
- Restrict “Point and Print” on member servers and clients that require the ability to print as per the instructions in the Microsoft knowledge base article.
As we have seen across every organization (including those not using PaperCut), these patches have been highly disruptive to printing. Below is a summary of problems that we’ve seen, and our latest advice for tackling a solution:
|Non-administrators may see a ‘Do you trust this printer’ dialog box, following the installation of August 2021 Windows updates.||KB5005652||Temporary registry key workaround detailed on the known issue: PD-1112.||Choose one of the options from the 4 ways to fix Print Nightmare with PaperCut blog post.|
|macOS to Windows printing via SMB stops working following the installation of September 2021 Windows updates.||KB5005568, KB5005613, KB5005627, KB5005623, KB5005607, KB5005606, KB5005618, KB5005565, KB5005566, KB5005615||Temporary registry key workaround detailed on the known issue: PO-522.||If you are only looking to resolve macOS > Windows printing, switch to an alternative method of network printing, for example using PaperCut’s LPD service to print over LPR instead of SMB. Alternatively, choose one of the options from the 4 ways to fix Print Nightmare with PaperCut blog post.|
|Network printing can fail with an error 0×0000011b following the installation of September 2021 Windows updates.||KB5005565||Temporary registry key workaround detailed on the known issue: PO-523.||Choose one of the options from the 4 ways to fix Print Nightmare with PaperCut blog post.|
|Cross-server redirection can fail with error 283 or error 317 following the installation of September 2021 Windows updates.||KB5005568||Temporary registry key workaround detailed on the known issue: PC-18603.||Choose one of the options from the 4 ways to fix Print Nightmare with PaperCut blog post.|
|Network printing can fail with error 0x00000709 following the installation of October 2021 Windows updates.||KB5006670, KB5006672||None - see: PO-598.||Microsoft has released optional update KB5007253 to resolve this issue. This resolves the issue that causes error codes 0x000006e4, 0x0000007c, or 0x00000709 when connecting to a remote printer that is shared on a Windows print server. See the Microsoft documentation for more information.|
Keywords: security, print nightmare, microsoft, print spooler, windows spooler, [cve-2021-1675] cve-2021-34527