Edit – CVE-2021-34481 is now patched, Queue Specific Files now allocated CVE-2021-36958 – update here
We have received a number of enquiries about the ongoing issues with the Microsoft Print Spooler, below is a summary of our current understanding of each of these issues.
RCE Remote Code Execution
There have been 4 vulnerabilities related to Microsoft’s print services that have been discovered in the last 2 months:
- CVE-2021-1675 – 8.8 RCE Vulnerability, PATCHED in June 8th Update (https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1675)
- CVE-2021-34527 (PrintNightmare) – 8.8 RCE vulnerability, PATCHED in security updates July 6th-7th (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527)
- Still vulnerable with certain point and print configurations
- CVE-2021-34481 – 7.8 LPE Vulnerability, NOT PATCHED (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34481)
- No update from Microsoft since July 15th
- Only workaround is to disable print spooler
- Attacker requires local access to execute code on system
- ‘Queue-specific files’ vulnerability – NOT PATCHED (https://www.kb.cert.org/vuls/id/131152)
- This has not been acknowledged by Microsoft and has not been assigned a CVE number
- It enables an attacker to gain SYSTEM level privileges from a remote server
- There are POC exploits
With relation to the queue-specific files vulnerability, we are aware of two workarounds being reported by researchers:
1. Block outbound SMB traffic at your network boundary
SMB traffic is not permitted by default on the emPSN firewall, this will only be open if you have requested for it to be so.
The public exploit published for this vulnerability uses a remote print server so blocking SMB traffic will prevent access. However it is reported that MS-WPRN could be used to install print drivers without relying on SMB traffic and the technique could still be used on a local print server.
2. Configure PackagePointAndPrintServerList
By configuring this Group Policy, non-administrative users are prevented from installing print servers unless they are in the approved list. This is reflected in the HKLM\Software\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint\PackagePointAndPrintServerList and HKLM\Software\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint\ListofServers registry values.
This is deemed the best protection against the public exploit currently.
We understand that having print services disabled for such a long time may be having a significant impact on your operations. We recommend you carefully consider the risk of each vulnerability and come to a business decision on whether to enable a print spooler or not.
We still encourage defenders to disable print services on all servers that do not handle print jobs, especially Domain Controllers.
We will not provide further advice until Microsoft release updates.