Giveaway of the Day Forums

1. 

   mikiem2
   Moderator

   msrc.microsoft[.]com/update-guide/vulnerability/CVE-2021-34527

   windowscentral[.]com/how-mitigate-print-spooler-printnightmare-vulnerability-windows-10

   zdnet[.]com/article/microsoft-adds-second-cve-for-printnightmare-remote-code-execution/

   The problem centers on the way that all versions of Windows allow you to add a new printer driver -- it's possible for someone to add a printer remotely, and have Windows download what's supposed to be the driver from a remote server of their choice. Microsoft just patched a similar vulnerability, security experts then published the code to take advantage of it, and then came the discovery that the patch didn't go far enough. The security experts pulled the code they'd released, but once on the internet, always on the internet. Microsoft is actively investigating the vulnerability, so no real word yet on the potential risk for you right now. They are advising two workarounds: 1) stop & disable the print spooler service [Control Panel -> Admin Tools -> Services], which means you cannot print while it's disabled, or 2) edit the group policy setting for inbound remote printing -- the main problem there is that if you're running Win10 Home, you cannot, though if your PC/laptop is acting as a print server, with other devices accessing the printer through your system rather than directly over the network, they will be cut off also.

   Posted 3 years ago #
2. 

   mikiem2
   Moderator

   The Microsoft page listed above has been updated. None of it's good news. They added to their mitigation recommendations, saying that group membership should be limited in a [biz] network environment. Under the FAQ section, regarding PointAndPrint they advise the following registry entries be added if they're not there already -- easiest way is to create a new text file [right click in Windows Explorer & then click add new text document], open it in Notepad, & copy/paste the following. Save the file with a .reg extension [SomeName.reg], then double click it to merge with the registry.

   Windows Registry Editor Version 5.00

   [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers]
"NoWarningNoElevationOnInstall"=dword:00000000
"NoWarningNoElevationOnUpdate"=dword:00000000

   Posted 3 years ago #
3. 

   mikiem2
   Moderator

   neowin[.]net/news/microsoft-releases-mandatory-windows-10-updates-to-fix-printnightmare-exploit/

   catalog.update.microsoft[.]com/Search.aspx?q=KB5004945

   Microsoft just released a mandatory patch. Updating via Windows Update I also had to download & install a .NET preview update -- I assume downloading just the KB you'd avoid that.

   Posted 3 years ago #
4. 

   mikiem2
   Moderator

   neowin[.]net/news/microsofts-patch-for-printnightmare-vulnerability-can-be-bypassed-completely/

   Seems Microsoft got it wrong -- the hotfix doesn't.

   Extra grumbling on my part, since this copy of Win10 would not install the update, either via Windows Update or the standalone download. Wound up doing a repair/reinstall -- this is the fourth copy of Win10 where updating broke for whatever reason... looks like a trend.

   And apologies -- the catalog link in my previous post won't work. Have to go to catalog.update.microsoft[.]com and search for KB5004945

   Posted 3 years ago #
5. 

   mikiem2
   Moderator

   neowin[.]net/news/microsoft-our-printnightmare-patch-is-effective-youre-just-using-windows-wrong/

   msrc.microsoft[.]com/update-guide/vulnerability/CVE-2021-34527

   support.microsoft[.]com/en-us/topic/kb5005010-restricting-installation-of-new-printer-drivers-after-applying-the-july-6-2021-updates-31b91c02-05bc-4ada-a7ea-183b129578a7

   UPDATE... With all sorts of reports from security folks that the patch can be bypassed, Microsoft says that it does indeed work, as long as Windows is set up properly.

   Resolution

   Install the July Out-of-band and later updates.

   Check if the following conditions are true:

   Registry Settings: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint

   NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default setting)

   UpdatePromptSettings = 0 (DWORD) or not defined (default setting)

   Group Policy: You have not configured the Point and Print Restrictions Group Policy.

   If both conditions are true, then you are not vulnerable to CVE-2021-34527 and no further action is needed. If either condition is not true, you are vulnerable. Follow the steps below to change the Point and Print Restrictions Group Policy to a secure configuration.

   Open the group policy editor tool and go to Computer Configuration > Administrative Templates > Printers.

   Configure the Point and Print Restrictions Group Policy setting as follows:

   Set the the Point and Print Restrictions Group Policy setting to "Enabled".

   "When installing drivers for a new connection": "Show warning and elevation prompt".

   "When updating drivers for an existing connection": "Show warning and elevation prompt".

   If you don't want to check the registry yourself [type regedit in the Run box] this is what I get exporting the registry key after applying their group policy recommendations. Copy/paste it into a new text [.txt] file, saving or renaming it with a .reg extension [SomeName.reg], and double click the file to merge with the registry.

   [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint]
   "Restricted"=dword:00000001
   "TrustedServers"=dword:00000000
   "ServerList"=""
   "InForest"=dword:00000000
   "NoWarningNoElevationOnInstall"=dword:00000000
   "UpdatePromptSettings"=dword:00000000

   Posted 3 years ago #
6. 

   harpo2448
   Member

   Thank you for posting this PSA (Public Service Announcement) and many others, I noticed.

   Would this apply to my Windows Home system? In Settings, Windows Update reports that it is "up to date". The only optional/pending update (that I'm holding back from installing, until forced) is the "Feature Update to Windows 10, version 21H1".

   Otherwise, the most recent is:

   Windows Update
   View update history
   Quality Updates
   2021-07 Cumulative Update for Windows 10 Version 20H2 for x64-based Systems (KB5004945)
   Successfully installed on ‎7/‎8/‎2021

   (the next listed update was on 6/10/2021)

   Also, checking in the Registry Editor, I don't have any such entry ("key"?) for "Printers" (much less "Printers\PointAndPrint") under:
   HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\

   I see in the Microsoft Security pages for KB5004945 that it supposedly addresses this issue (and also removes JavaScript):

   Highlights
   Updates a remote code execution exploit in the Windows Print Spooler service, known as “PrintNightmare”, as documented in CVE-2021-34527.

   So are these non-existent Registry entries as listed above still necessary and to be created by me for a Windows Home system; i.e., is any further action still needed beyond the MS patch/update?

   Posted 3 years ago #
7. 

   mikiem2
   Moderator

   Would this apply to my Windows Home system?

   It allegedly applies to every version of Windows, e.g. Windows 7 Home Premium got the update. You may have to click the Check for updates button to see it, and Windows Update *may* force you to install the update to 21H1 before it will show you any more available updates. *For me*, I've noticed several instances in the last 4-5 months where Windows Update would not show additional updates until I installed what was already showing as available, then once I installed that update [or updates] more would appear when I checked for updates. The update is available in the online Microsoft update catalog -- just search for KB5004945 -- and you could certainly go that route. FWIW, the update to v. 21H1, delivered as a cumulative update, is so minor that it's easy to think the only reason it exists is that Microsoft felt people expected it.

   Also, checking in the Registry Editor, I don't have any such entry ("key"?) for "Printers" (much less "Printers\PointAndPrint") under:
   HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\

   Windows is still vulnerable after installing the patch IF those registry entries exist And are set to anything other than O or undefined. If they don't exist you're good to go. Again FWIW, Microsoft could have made it easier, creating one of their online tools for example that checked for those registry entries, and if they existed make sure they're set to zero or nothing [undefined]. Sure, using Group Policy is easy, but the millions of users running Win10 Home don't have it (!).

   At any rate, install the patch -- it should be included in next Tuesday's updates anyway -- and you should be fine.

   Posted 3 years ago #
8. 

   harpo2448
   Member

   Thanks!

   Posted 3 years ago #
9. 

   mikiem2
   Moderator

   windowscentral[.]com/cisa-releases-emergency-directive-regarding-printnightmare-vulnerability

   It's serious enough that the Cybersecurity and Infrastructure Security Agency (CISA) issued a directive to all U.S. Federal Civilian Executive Branch agencies.

   By 11:59 pm EDT, Wednesday, July 14, 2021, Stop and Disable the Print Spooler service on all Microsoft Active Directory (AD) Domain Controllers (DC).
   By 11:59 pm EDT, Tuesday, July 20, 2021, apply the July 2021 cumulative updates to all Windows Servers and Workstations.

   Posted 3 years ago #

RSS feed for this topic

Reply

You must log in to post.