This latest vulnerability from Microsoft is causing widespread disruption for users who are just trying to print their documents. The vulnerability is severe; any logged-in user could potentially take control of an entire client’s domain. We’re going to transition to Q&A format here, which is often useful in discussing these sort of scenarios.
Q: How bad is it?
A: Any logged-in Windows user could potentially run code that exposes access to every other network-connected Windows system on the network. There is a very large potential for internal exploit, exfiltration, and/or other compromise. The seriousness of this vulnerability cannot be overstated.
Q: Is there a patch for this vulnerability yet?
A: The first round of patches were made available as “Out-of-Band” updates on July 6 for most supported Windows operating systems. These patches have now been superseded by newer updates released on 7/13/21 (“Patch Tuesday”), which patch against PrintNightmare and also correct some problems that were encountered in the July 6 update batch. These updates are now being applied to all operating systems eligible to receive them through our ManageSuite software agents.
In order to be protected against the PrintNightmare vulnerability, specific registry policies related to printing must be correctly configured. Our ManageSuite agents will apply these configurations automatically as well.
PLEASE NOTE: There are no patches for PrintNightmare available for operating systems that are past their end-of-support date.
Q: Are there any mitigations or workarounds for unsupported operating systems?
A: There are workarounds, but they have serious drawbacks. The most effective way to protect against this vulnerability for older operating systems as of now is to stop Windows printing services altogether and simply not print anything which is, admittedly, not much of a solution.
The second mitigation is one we have already pushed out to all our clients’ unsupported servers and workstations. This mitigation is detailed in the first link in the Further Reading section below. We have been working with our clients trying to resolve their issues as they arise. Unfortunately, undoing our automatic mitigations in order to print on an out-of-date operating system will render it insecure.
Q: What else can we do?
A: Since login access to an environment is required, change your Windows login passwords, and have your colleagues do the same. It never hurts to do this anyway. Make sure to use a password you’ve never used anywhere else before. This won’t help if users accidentally run malicious code while already logged-in, but it can definitely help remote exploits, especially if users are using passwords that have already been exploited in unrelated industry attacks.
Q: We’re using your ZeroTrust security product. Is this effective against this vulnerability?
A: Yes. ZeroTrust should stop in its tracks any unrecognized malicious code executed as part of this printer driver exploit.
Q: Are my backups safe?
A: Backups for clients who leverage our BRS 2.0 solution are fully protected, as the BRS appliances have been rendered invulnerable to the exploit (because there’s no need to print from a backup appliance). Clients who subscribe to our non-BRS backup agreement still replicate their data offsite, and that offsite data is still similarly protected.
Q: Is there any good news?
A: We think so. Because this vulnerability has such a large service impact, the entire global security community worked double-overtime on prevention, detection, mitigation, and patch development, so we recognize and appreciate their efforts.
Q: Is PrintNightmare the same thing as the vulnerability described in CVE-2021-1675? Asking for my auditors.
A: They are different vulnerabilities. CVE-2021-1675 describes a similar vulnerability that was fixed in the June 2021 Cumulative Security Update suite of packages. PrintNightmare is a different vulnerability. As of late 7/1/2021, Microsoft has classified this as CVE-2021-34527 and upgraded its severity and exploitability ratings. Note that the update KB numbers described in that CVE have been superseded as of 7/13/2021. See the Further Reading section below.
Updated: July 16, 2021, 10:17am EDT