Threat Level: green Handler on Duty: Jan Kopriva

SANS ISC: Microsoft Releases Patches for CVE-2021-34527 SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Microsoft Releases Patches for CVE-2021-34527

Microsoft today released patches for CVE-2021-34527, the vulnerability also known as "printnightmare." Patches are now available for all affected versions of Windows (as long as they are still supported). Applying the update will also patch the older CVE-2021-1675 vulnerability.

The main issue with "printnightmare" was the ability of regular users to load their own printer drivers. One issue the patch fixes is that normal users are only allowed to provide digitally signed printer drivers. Unsigned drivers may only be installed by Administrators, reducing the privilege escalation issue of normal users installing malicious printer drivers. 

Your system may, however, still be vulnerable if you have "Point&Print" enabled. The patch does not prevent users using "Point&Print" from installing their own, possibly malicious, printer drivers. [1]

In addition to applying the patch, you may also want to restrict printer driver installation privileges. Microsoft Windows now supports the "RestrictDriverInstallationToAdministrators" registry value that can be used to limit the ability to install printer drivers to Administrators. With this feature enabled, even signed drivers can only be installed by Administrators. [2]

If a client connects to a network printer, the client may install a printer driver from the server. As long as the driver is signed, the driver will still be installed for a normal user. Only unsigned drivers will require Administrator approval.

For details, see Microsoft's updated advisory:

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527

 

[1] https://twitter.com/gentilkiwi/status/1412706033072590852
[2] https://support.microsoft.com/en-us/topic/kb5005010-restricting-installation-of-new-printer-drivers-after-applying-the-july-6-2021-updates-31b91c02-05bc-4ada-a7ea-183b129578a7

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

I will be teaching next: Intrusion Detection In-Depth - SANS London October 2021

Johannes

4250 Posts
ISC Handler
Jul 7th 2021
Microsoft seems to have done a shoddy job.
They've only fixed the RCE issues, LPE still works.
This also implies they didn't actually fix the problem, but rather put some layer around to mitigate.
Anonymous
Latest info and fixes

CVE 2021-34527
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-34527

Microsoft KB5005010: Restricting installation of new printer drivers after applying the July 6, 2021 updates
https://support.microsoft.com/en-us/topic/kb5005010-restricting-installation-of-new-printer-drivers-after-applying-the-july-6-2021-updates-31b91c02-05bc-4ada-a7ea-183b129578a7


MSRC Blog: Out-of-Band (OOB) Security Update available for CVE-2021-34527
https://msrc-blog.microsoft.com/2021/07/06/out-of-band-oob-security-update-available-for-cve-2021-34527/

CISA Article:
https://us-cert.cisa.gov/ncas/current-activity/2021/06/30/printnightmare-critical-windows-print-spooler-vulnerability
Anonymous
Latest info and fixes

CVE 2021-34527
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-34527

Microsoft KB5005010: Restricting installation of new printer drivers after applying the July 6, 2021 updates
https://support.microsoft.com/en-us/topic/kb5005010-restricting-installation-of-new-printer-drivers-after-applying-the-july-6-2021-updates-31b91c02-05bc-4ada-a7ea-183b129578a7


MSRC Blog: Out-of-Band (OOB) Security Update available for CVE-2021-34527
https://msrc-blog.microsoft.com/2021/07/06/out-of-band-oob-security-update-available-for-cve-2021-34527/

CISA Article:
https://us-cert.cisa.gov/ncas/current-activity/2021/06/30/printnightmare-critical-windows-print-spooler-vulnerability
Anonymous
Well... good idea to releas patch for old installation like Windows 7 or Windows 2008R2, but when you don't have the latest version of the "Windows Modules Installer" and Microsoft have removed the possibility to download this update (http://support.microsoft.com/en-us/help/2533552).

This is a nightmare !
Stephane

2 Posts

Sign Up for Free or Log In to start participating in the conversation!