Impact on PaperCut Software due to Print Nightmare vulnerabilities including CVE-2021-1675, CVE-2021-34527 and CVE-2021-34481
“Print Nightmare” is a bug in the Windows spooler service that under some circumstances can result in an attacker being able to remotely run code on a Microsoft Windows system as the local SYSTEM user.
You should read the advisory from Microsoft (updated with security patch information on July 6, 2021).
It is important to note that the attacker needs to be authenticated against the remote system for the attack to be possible.
Please patch your systems!
Microsoft has released a critical severity patch for this vulnerability. It is available via Windows Update or from the links on the Advisory. PaperCut strongly recommends that you apply the patch to all Microsoft Windows systems prioritizing systems that have the Microsoft Windows print spooler service exposed to your network.
The patch also enables the ability to restrict who can install drivers on print servers via configuration. Our initial testing indicates that this setting will not adversely affect the operation of PaperCut’s software and strongly recommend that installation of printer drivers onto print servers is restricted to Administrators only.
PaperCut strongly recommends that you read the Microsoft Advisory for yourself to understand the impact of and scope of the recommended work-arounds and mitigations. We recommend each customer evaluate that risk for themselves and if appropriate consider the mitigations approaches set out in this article. We strongly recommend that you patch any system that needs to expose the Microsoft Windows print spooler to the network as a priority.
Please ensure that you are running versions of Microsoft Windows that still receive automatic updates and that the updates have been applied. Also ensure that your Antivirus solution is up to date.
PaperCut has been actively monitoring the information provided by Microsoft on this issue and actively testing our software to determine the impact that various mitigations would have on its functionality.
Based on the 6th July 2021 update( version 2.0) to the Microsoft advisory PaperCut believes the following work-arounds and configurations form a reasonable balance between security and maintaining the ability to print. As always organisations should evaluate this internally and with respect to their own risk management procedures:
- Ensure that any Microsoft Windows Print Servers are isolated from the internet ( e.g. accessible only from your internal network)
- Not using a Domain Controller as a Print Server.
- Patch all print servers with the patches in the Microsoft Advisory.
- Disabling the Spooler Service on any member server or client that doesn’t need to print.
- Setting the “Allow Print Spooler to accept client connections:” group policy to disabled on systems that don’t need to accept print jobs from other systems.
- Restrict “Point and Print” on member servers and clients that require the ability to print as per the instructions in the Microsoft knowledge base article.
Previous Advice recommended restricting user groups; this mitigation has been removed from Microsoft’s advisory and it’s unlikely to be effective in reducing the ability to exploit this on systems that expose the Print Spooler Service to your network.
There has been some advice on the internet about restricting SYSTEM access to the drivers directory on the spooler drivers directory. This has not been recommended by Microsoft, and will adversely affect printing in general and will probably not mitigate the vulnerability.
We believe that you can continue to use PaperCut Products to print documents while applying many of these mitigations.
The following table sets out the impact to our PaperCut’s software from each corresponding mitigation.
If you have any issues with PaperCut software applying these mitigation or specific requirements that aren’t addressed by this article please speak with our support or tech services teams.
|Product Component||Disable Print Spooler||Disable inbound remote printing through Group Policy||Restrict Point and Print|
|PaperCut MF/NG Application Server||No impact if there are no print queues being hosted on the app server||No impact if there are no print queues being hosted on the app server||No impact if there are no print queues being hosted on the app server|
|PaperCut MF/NG Print Server (running Print Provider)||Printing will stop working for any client that prints via this server||Printing will stop working for any client that prints via this server||No impact*|
|PaperCut MF/NG end user laptop or workstation||Printing will stop working on this system||No impact*||No impact*|
|PaperCut Pocket/Hive print client (end user laptop or workstation)||Printing will stop working on this system||No impact*||No impact*|
|PaperCut Pocket/Hive Edge Node (Super node or standard node on end user’s laptop)||Print delivery limited to direct IPP job delivery only (No queue delivery method will be supported)||No impact*||No impact*|
|Mobility Print Server||Printing will stop working for any client that prints via this server||No impact||No impact*|
|Mobility Print Client (Both Local and Cloud Print)||Printing will stop working on this system||No impact||No impact|
|PaperCut MF/NG Print Deploy server||No impact||No impact||No impact|
|PaperCut MF/NG Print Deploy cloner||Unable to clone||No impact||No impact|
|PaperCut MF/NG Print Deploy client||New Client installation completes, Direct Print Monitor will not start without a working Print Spooler |
Existing Clients will not manage printers. Users can not print
Servers will not print jobs
|Client workstations appear unaffected, Mobility, DirectIP and \\server queues work. |
Servers will not accept print jobs.
|Client workstations appear unaffected, Mobility, DirectIP, and \\server queues work |
Servers currently under investigation
|PaperCut MF/NG Microsoft Universal Print Connector||Printing will stop working||No impact||No impact|
* Currently in testing to confirm
Still have questions?
Let us know! We love chatting about what’s going on under the hood. Feel free to leave a comment below or visit our Support Portal for further assistance.
Keywords: security, print nightmare, microsoft, print spooler, windows spooler, [cve-2021-1675] cve-2021-34527