05/08/2021

Update on Microsoft Print Spoolers Issues – various

Edit – CVE-2021-34481 is now patched, Queue Specific Files now allocated CVE-2021-36958 – update here

We have received a number of enquiries about the ongoing issues with the Microsoft Print Spooler, below is a summary of our current understanding of each of these issues. 

RCE Remote Code Execution

There have been 4 vulnerabilities related to Microsoft’s print services that have been discovered in the last 2 months: 

  1. CVE-2021-1675 – 8.8 RCE Vulnerability, PATCHED in June 8th Update (https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1675
  2. CVE-2021-34527 (PrintNightmare) – 8.8 RCE vulnerability, PATCHED in security updates July 6th-7th (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527
  • Still vulnerable with certain point and print configurations  
  1. CVE-2021-34481 –  7.8 LPE Vulnerability, NOT PATCHED (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34481
    • No update from Microsoft since July 15th 
    • Only workaround is to disable print spooler 
    • Attacker requires local access to execute code on system 
  2. ‘Queue-specific files’ vulnerability – NOT PATCHED (https://www.kb.cert.org/vuls/id/131152
    • This has not been acknowledged by Microsoft and has not been assigned a CVE number 
    • It enables an attacker to gain SYSTEM level privileges from a remote server 
    • There are POC exploits 

With relation to the queue-specific files vulnerability, we are aware of two workarounds being reported by researchers: 

1.    Block outbound SMB traffic at your network boundary

SMB traffic is not permitted by default on the emPSN firewall, this will only be open if you have requested for it to be so.

The public exploit published for this vulnerability uses a remote print server so blocking SMB traffic will prevent access. However it is reported that MS-WPRN could be used to install print drivers without relying on SMB traffic and the technique could still be used on a local print server.  

2.    Configure PackagePointAndPrintServerList 

By configuring this Group Policy, non-administrative users are prevented from installing print servers unless they are in the approved list. This is reflected in the HKLM\Software\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint\PackagePointAndPrintServerList and HKLM\Software\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint\ListofServers registry values. 

This is deemed the best protection against the public exploit currently.  

We understand that having print services disabled for such a long time may be having a significant impact on your operations. We recommend you carefully consider the risk of each vulnerability and come to a business decision on whether to enable a print spooler or not. 

We still encourage defenders to disable print services on all servers that do not handle print jobs, especially Domain Controllers. 

We will not provide further advice until Microsoft release updates.  

Keeping Up To Date With Us Is Easy, Sign Up To Our Newsletter Today!

Stay in touch with emPSN, so that you get the latest e-safety advice and invites to our community events.

    Our partners