Microsoft confirmed that the emergency security updates (KB5005010) correctly address the PrintNightmare Print Spooler vulnerability (CVE-2021-34527).
Microsoft says that the emergency security patches released early this week correctly address the PrintNightmare Print Spooler vulnerability (CVE-2021-34527) for all supported Windows versions.
Immediately after the release of the updates (KB5004945) multiple researchers questioned its efficiency and explained that the updates don’t fully address the vulnerability.
Researchers have demonstrated that it is possible to bypass the emergency patch to achieve remote code execution and local privilege escalation on systems that have installed it.
Shortly after the release of the patch, the popular researcher Matthew Hickey noticed that the fix is incomplete and that threat actors and malware can still locally exploit the vulnerability to gain SYSTEM privileges.
The Microsoft fix released for recent #PrintNightmare vulnerability addresses the remote vector – however the LPE variations still function. These work out of the box on Windows 7, 8, 8.1, 2008 and 2012 but require Point&Print configured for Windows 2016,2019,10 & 11(?). 🤦♂️ https://t.co/PRO3p99CFo
— Hacker Fantastic (@hackerfantastic) July 6, 2021
The failure of the Microsoft update was also reported by Will Dormann, a vulnerability analyst for CERT/CC.
Other researchers started testing the patch and demonstrated that it was possible to entirely bypass the fix to achieve both RCE and local privilege escalation (LPE).
The expert Benjamin Delpy, also known for having developed the popular Mimikatz tool, discovered that when the Point and Print policy is enabled, attackers could bypass the patch to achieve Remote Code Execution.
Dealing with strings & filenames is hard😉
New function in #mimikatz 🥝to normalize filenames (bypassing checks by using UNC instead of servershare format)So a RCE (and LPE) with #printnightmare on a fully patched server, with Point & Print enabled
> https://t.co/Wzb5GAfWfd pic.twitter.com/HTDf004N7r
— 🥝 Benjamin Delpy (@gentilkiwi) July 7, 2021
The clarified guidance for CVE-2021-34527 Windows Print Spooler Vulnerability published by Microsoft encourages customers to update as soon as possible.
“Our investigation has shown that the OOB security update is working as designed and is effective against the known printer spooling exploits and other public reports collectively being referred to as PrintNightmare. All reports we have investigated have relied on the changing of default registry setting related to Point and Print to an insecure configuration.” states the guidance published by Microsoft Security Response Center.
MSRC just released a new blog post regarding CVE-2021-34527: https://t.co/i9g9fVQzTF
— Security Response (@msftsecresponse) July 9, 2021
The IT giant recommends that customers follow the following steps immediately:
- In ALL cases, apply the CVE-2021-34527 security update. The update will not change existing registry settings
- After applying the security update, review the registry settings documented in the CVE-2021-34527 advisory
- If the registry keys documented do not exist, no further action is required
- If the registry keys documented exist, in order to secure your system, you must confirm that the following registry keys are set to 0 (zero) or are not present:
- HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows NTPrintersPointAndPrint
- NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default setting)
- UpdatePromptSettings = 0 (DWORD) or not defined (default setting)
Users that cannot immediately install the security updates are recommended to disable the Windows Print Spooler service to mitigate the PrintNightmare vulnerability temporarily.
The CERT Coordination Center (CERT/CC) has also published an alert that includes instructions on stopping and disabling the service in a separate Vulnerability Note.
Follow me on Twitter: @securityaffairs and Facebook
(SecurityAffairs – hacking, PrintNightmare)
Share On
Pierluigi Paganini
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at “Cyber Defense Magazine”, Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog “Security Affairs” recently named a Top National Security Resource for US. Pierluigi is a member of the “The Hacker News” team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books “The Deep Dark Web” and “Digital Virtual Currency and Bitcoin”.
Microsoft confirmed that the emergency security updates (KB5005010) correctly address the PrintNightmare Print Spooler vulnerability (CVE-2021-34527).
Microsoft says that the emergency security patches released early this week correctly address the PrintNightmare Print Spooler vulnerability (CVE-2021-34527) for all supported Windows versions.
Immediately after the release of the updates (KB5004945) multiple researchers questioned its efficiency and explained that the updates don’t fully address the vulnerability.
Researchers have demonstrated that it is possible to bypass the emergency patch to achieve remote code execution and local privilege escalation on systems that have installed it.
Shortly after the release of the patch, the popular researcher Matthew Hickey noticed that the fix is incomplete and that threat actors and malware can still locally exploit the vulnerability to gain SYSTEM privileges.
The Microsoft fix released for recent #PrintNightmare vulnerability addresses the remote vector – however the LPE variations still function. These work out of the box on Windows 7, 8, 8.1, 2008 and 2012 but require Point&Print configured for Windows 2016,2019,10 & 11(?). 🤦♂️ https://t.co/PRO3p99CFo
— Hacker Fantastic (@hackerfantastic) July 6, 2021
The failure of the Microsoft update was also reported by Will Dormann, a vulnerability analyst for CERT/CC.
Other researchers started testing the patch and demonstrated that it was possible to entirely bypass the fix to achieve both RCE and local privilege escalation (LPE).
The expert Benjamin Delpy, also known for having developed the popular Mimikatz tool, discovered that when the Point and Print policy is enabled, attackers could bypass the patch to achieve Remote Code Execution.
Dealing with strings & filenames is hard😉
New function in #mimikatz 🥝to normalize filenames (bypassing checks by using UNC instead of servershare format)So a RCE (and LPE) with #printnightmare on a fully patched server, with Point & Print enabled
> https://t.co/Wzb5GAfWfd pic.twitter.com/HTDf004N7r
— 🥝 Benjamin Delpy (@gentilkiwi) July 7, 2021
The clarified guidance for CVE-2021-34527 Windows Print Spooler Vulnerability published by Microsoft encourages customers to update as soon as possible.
“Our investigation has shown that the OOB security update is working as designed and is effective against the known printer spooling exploits and other public reports collectively being referred to as PrintNightmare. All reports we have investigated have relied on the changing of default registry setting related to Point and Print to an insecure configuration.” states the guidance published by Microsoft Security Response Center.
MSRC just released a new blog post regarding CVE-2021-34527: https://t.co/i9g9fVQzTF
— Security Response (@msftsecresponse) July 9, 2021
The IT giant recommends that customers follow the following steps immediately:
- In ALL cases, apply the CVE-2021-34527 security update. The update will not change existing registry settings
- After applying the security update, review the registry settings documented in the CVE-2021-34527 advisory
- If the registry keys documented do not exist, no further action is required
- If the registry keys documented exist, in order to secure your system, you must confirm that the following registry keys are set to 0 (zero) or are not present:
- HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows NTPrintersPointAndPrint
- NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default setting)
- UpdatePromptSettings = 0 (DWORD) or not defined (default setting)
Users that cannot immediately install the security updates are recommended to disable the Windows Print Spooler service to mitigate the PrintNightmare vulnerability temporarily.
The CERT Coordination Center (CERT/CC) has also published an alert that includes instructions on stopping and disabling the service in a separate Vulnerability Note.
Follow me on Twitter: @securityaffairs and Facebook
(SecurityAffairs – hacking, PrintNightmare)