Impact on PaperCut Software due to Print Nightmare vulnerabilities including CVE-2021-1675, CVE-2021-34527 and CVE-2021-34481

What is “Print Nightmare”?

“Print Nightmare” is a bug in the Windows spooler service that under some circumstances can result in an attacker being able to remotely run code on a Microsoft Windows system as the local SYSTEM user.

You should read the advisory from Microsoft (updated with security patch information on July 6, 2021).

It is important to note that the attacker needs to be authenticated against the remote system for the attack to be possible.

Note 💡 Following the Microsoft security patches (KB5005652) released on 10th August, 2021, please see our latest advice on the impact of the ‘Do you trust this printer’ dialog box.

The Known Issue (linked above) includes details of the Microsoft workaround as well as some additional protections to put into place. However if you’d prefer to get away from Windows > Windows printing connections entirely, an alternative here is to use our Mobility Print product. Not only does it not require driver installation on clients, but it also allows printing from iOS, Windows, macOS, Android, and Chrome OS devices with minimal fuss.

How do I prevent this?

Please patch your systems!

Microsoft has released a critical severity patch for this vulnerability. It is available via Windows Update or from the links on the Advisory. PaperCut strongly recommends that you apply the patch to all Microsoft Windows systems prioritizing systems that have the Microsoft Windows print spooler service exposed to your network.

The patch also enables the ability to restrict who can install drivers on print servers via configuration. Our initial testing indicates that this setting will not adversely affect the operation of PaperCut’s software and strongly recommend that installation of printer drivers onto print servers is restricted to Administrators only.

I haven’t installed the patch yet, what can I do?

PaperCut strongly recommends that you read the Microsoft Advisory for yourself to understand the impact of and scope of the recommended work-arounds and mitigations. We recommend each customer evaluate that risk for themselves and if appropriate consider the mitigations approaches set out in this article. We strongly recommend that you patch any system that needs to expose the Microsoft Windows print spooler to the network as a priority.

Please ensure that you are running versions of Microsoft Windows that still receive automatic updates and that the updates have been applied. Also ensure that your Antivirus solution is up to date.

PaperCut has been actively monitoring the information provided by Microsoft on this issue and actively testing our software to determine the impact that various mitigations would have on its functionality.

Based on the 6th July 2021 update( version 2.0) to the Microsoft advisory PaperCut believes the following work-arounds and configurations form a reasonable balance between security and maintaining the ability to print. As always organisations should evaluate this internally and with respect to their own risk management procedures:

  • Ensure that any Microsoft Windows Print Servers are isolated from the internet ( e.g. accessible only from your internal network)
  • Not using a Domain Controller as a Print Server.
  • Patch all print servers with the patches in the Microsoft Advisory.
  • Disabling the Spooler Service on any member server or client that doesn’t need to print.
  • Setting the “Allow Print Spooler to accept client connections:” group policy to disabled on systems that don’t need to accept print jobs from other systems.
  • Restrict “Point and Print” on member servers and clients that require the ability to print as per the instructions in the Microsoft knowledge base article.

Previous Advice recommended restricting user groups; this mitigation has been removed from Microsoft’s advisory and it’s unlikely to be effective in reducing the ability to exploit this on systems that expose the Print Spooler Service to your network.

There has been some advice on the internet about restricting SYSTEM access to the drivers directory on the spooler drivers directory. This has not been recommended by Microsoft, and will adversely affect printing in general and will probably not mitigate the vulnerability.

How is PaperCut software affected by the Workarounds/Mitigations suggested by Microsoft?

We believe that you can continue to use PaperCut Products to print documents while applying many of these mitigations.

The following table sets out the impact to our PaperCut’s software from each corresponding mitigation.

Note 💡 This only applies to systems running Microsoft Windows.

If you have any issues with PaperCut software applying these mitigation or specific requirements that aren’t addressed by this article please speak with our support or tech services teams.

Product ComponentDisable Print SpoolerDisable inbound remote printing through Group PolicyRestrict Point and Print
PaperCut MF/NG Application ServerNo impact if there are no print queues being hosted on the app serverNo impact if there are no print queues being hosted on the app serverNo impact if there are no print queues being hosted on the app server
PaperCut MF/NG Print Server (running Print Provider)Printing will stop working for any client that prints via this serverPrinting will stop working for any client that prints via this serverNo impact*
PaperCut MF/NG end user laptop or workstationPrinting will stop working on this systemNo impact*No impact*
PaperCut Pocket/Hive print client (end user laptop or workstation)Printing will stop working on this systemNo impact*No impact*
PaperCut Pocket/Hive Edge Node (Super node or standard node on end user’s laptop)Print delivery limited to direct IPP job delivery only (No queue delivery method will be supported)No impact*No impact*
Mobility Print ServerPrinting will stop working for any client that prints via this serverNo impactNo impact*
Mobility Print Client (Both Local and Cloud Print)Printing will stop working on this systemNo impactNo impact
PaperCut MF/NG Print Deploy serverNo impactNo impactNo impact
PaperCut MF/NG Print Deploy clonerUnable to cloneNo impactNo impact
PaperCut MF/NG Print Deploy clientNew Client installation completes, Direct Print Monitor will not start without a working Print Spooler

Existing Clients will not manage printers. Users can not print

Servers will not print jobs
Client workstations appear unaffected, Mobility, DirectIP and \\server queues work.

Servers will not accept print jobs.
Client workstations appear unaffected, Mobility, DirectIP, and \\server queues work

Servers currently under investigation
PaperCut MF/NG Microsoft Universal Print ConnectorPrinting will stop workingNo impactNo impact

* Currently in testing to confirm

Still have questions?

Let us know! We love chatting about what’s going on under the hood. Feel free to leave a comment below or visit our Support Portal for further assistance.

Categories: Troubleshooting Articles, Security and Privacy

Keywords: security, print nightmare, microsoft, print spooler, windows spooler, [cve-2021-1675] cve-2021-34527