Microsoft Releases Patches for CVE-2021-34527
Microsoft today released patches for CVE-2021-34527, the vulnerability also known as "printnightmare." Patches are now available for all affected versions of Windows (as long as they are still supported). Applying the update will also patch the older CVE-2021-1675 vulnerability.
The main issue with "printnightmare" was the ability of regular users to load their own printer drivers. One issue the patch fixes is that normal users are only allowed to provide digitally signed printer drivers. Unsigned drivers may only be installed by Administrators, reducing the privilege escalation issue of normal users installing malicious printer drivers.
Your system may, however, still be vulnerable if you have "Point&Print" enabled. The patch does not prevent users using "Point&Print" from installing their own, possibly malicious, printer drivers. [1]
In addition to applying the patch, you may also want to restrict printer driver installation privileges. Microsoft Windows now supports the "RestrictDriverInstallationToAdministrators" registry value that can be used to limit the ability to install printer drivers to Administrators. With this feature enabled, even signed drivers can only be installed by Administrators. [2]
If a client connects to a network printer, the client may install a printer driver from the server. As long as the driver is signed, the driver will still be installed for a normal user. Only unsigned drivers will require Administrator approval.
For details, see Microsoft's updated advisory:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527
[1] https://twitter.com/gentilkiwi/status/1412706033072590852
[2] https://support.microsoft.com/en-us/topic/kb5005010-restricting-installation-of-new-printer-drivers-after-applying-the-july-6-2021-updates-31b91c02-05bc-4ada-a7ea-183b129578a7
---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|
Network Monitoring and Threat Detection In-Depth | Singapore | Nov 18th - Nov 23rd 2024 |
Comments
They've only fixed the RCE issues, LPE still works.
This also implies they didn't actually fix the problem, but rather put some layer around to mitigate.
Anonymous
Jul 7th 2021
3 years ago
CVE 2021-34527
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-34527
Microsoft KB5005010: Restricting installation of new printer drivers after applying the July 6, 2021 updates
https://support.microsoft.com/en-us/topic/kb5005010-restricting-installation-of-new-printer-drivers-after-applying-the-july-6-2021-updates-31b91c02-05bc-4ada-a7ea-183b129578a7
MSRC Blog: Out-of-Band (OOB) Security Update available for CVE-2021-34527
https://msrc-blog.microsoft.com/2021/07/06/out-of-band-oob-security-update-available-for-cve-2021-34527/
CISA Article:
https://us-cert.cisa.gov/ncas/current-activity/2021/06/30/printnightmare-critical-windows-print-spooler-vulnerability
Anonymous
Jul 7th 2021
3 years ago
CVE 2021-34527
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-34527
Microsoft KB5005010: Restricting installation of new printer drivers after applying the July 6, 2021 updates
https://support.microsoft.com/en-us/topic/kb5005010-restricting-installation-of-new-printer-drivers-after-applying-the-july-6-2021-updates-31b91c02-05bc-4ada-a7ea-183b129578a7
MSRC Blog: Out-of-Band (OOB) Security Update available for CVE-2021-34527
https://msrc-blog.microsoft.com/2021/07/06/out-of-band-oob-security-update-available-for-cve-2021-34527/
CISA Article:
https://us-cert.cisa.gov/ncas/current-activity/2021/06/30/printnightmare-critical-windows-print-spooler-vulnerability
Anonymous
Jul 7th 2021
3 years ago
This is a nightmare !
Anonymous
Jul 12th 2021
3 years ago