Microsoft has recently released the emergency security update KB5004945 to fix the PrintNightmare, the 0-day vulnerability that has made headlines in the world of cybersecurity lately by targeting the Windows Print Spooler. The flaw in Windows Spooler was made public out of a misunderstanding and confusion to the old CVE-2021-1675, which was patched in June. There were lots of discussions on this until Microsoft addressed the topic and begun to work on some measures.
The technology company classified PrintNightmare as CVE-2021-34527, clarifying it is not CVE-2021-1675, provided some mitigation measures at first, and then released KB5004945 to fix it.
However, it seems that the emergency security update provided by Microsoft fails to meet the expected results, in other words, it does not remove the PrintNightmare, as researchers put it to test and proved its lack of efficiency.
Researchers Put to Test the New Patch KB5004945: It Doesn’t Work
Hacker House co-founder Matthew Hickey and the CERT/CC analyst Will Dormann observed, immediately after the 6th July patch was provided, that this only fixes the remote code execution (RCE) component, but lets the local privilege escalation (LPE) component without a solution. So, the latter could be used by threat actors to achieve system privileges under the condition that Point and Print Policy is enabled.
Further investigating and testing the patch, other researchers proved that not only the LPE component is exposed to the threat, but that PrintNightmare could actually bypass both components (RCE and LPE) despite the provided patch. In this sense, Benjamin Delpy, Will Dormann also supporting his affirmation, asserted that when the Point and Print Policy is enabled, remote code execution can be gained through this zero-day vulnerability.
The Windows Point and Print Policy Makes Way for PrintNightmare
Point and Print Restrictions is a policy belonging to Windows and can be bypassed by the threat PrintNightmare when enabled:
- Location: Computer Configuration > Administrative Templates > Printers > Point and Print Restrictions;
- Enabling it, the ‘NoWarningNoElevationOnInstall’ will be set to 1;
- Then the setting named “When installing drivers for a new connection” should be set to “Do not show a warning on elevation prompt.”
- Thus, the Point and Print Restriction Policy is enabled and the system is vulnerable to PrintNightmare through it.
These being proved, users should still base upon the previous mitigation measures provided by Microsoft until a patch that really works is released.
A Closer Look Into PrintNightmare
Matthew Hickey shared with Bleeping Computer a deeper understanding of the way PrintNightmare works. Thus, he emphasizes some important aspects:
- PrintNightmare targets Windows Print Spooler;
- The cause: the access control list checks (ACL) are missing in the functions AddPrinterDriverEx (), RpcAddPrinterDriver (), and RpcAsyncAddPrinterDriver () Windows API;
- What are these functions used for? To install remote or local print drivers;
- Every function mentioned above works with a corresponding Windows API: AddPrinterDriverEx (SDK), RpcAddPrinterDriver (MS-RPRN), RpcAsyncAddPrinterDriver (MS-PAR);
- PrintNightmare can achieve the bypass of the permission check. Then a compromised DLL is deployed into C:\Windows\System32\spool\drivers folder;
- This DLL loads then as a print driver;
- After all these steps, RCE and LPE can be achieved.
Matthew Hickey also added that the Microsoft patch does not cover the underlying ACL.
The recent patch Microsoft released is focused on addressing the RCE exploit vector and seems to address the common PoC’s that float around, however as you can also reach this via LRPC and local API – depending on the host and circumstances, it appears the patch does not properly address the underlying problem in the ACL check which allows for exploitation still for LPE on a fully patched host.
A Free Micropatch Should Fight PrintNightmare
0patch Team shared its contribution to fighting against this active exploit by releasing a free micropatch. The thing is that it does not work with the Microsoft updates from the 6th of July, because the security updates make changes to the ‘localspl.dll’ file that leads to the inefficiency of the free micropatch. In other words, they recommend installing this, instead of the 6th July updates.
0patch Team also agreed on the opinion shared by the researchers that the Microsoft updates do not stop RCE and LPE, but, on the other side, they claim that their free micropatch really works against both components. So users are advised to use this patch and disable the Print Spooler until security updates that really work are provided by Microsoft.
Meanwhile, Microsoft Releases KB5004948 for the Uncovered Windows Versions
As we mentioned yesterday in a post, Microsoft initially released security updates that would not cover all the Windows versions, only a part of them. Now, Windows Server 2016 and version 1607 of Windows 10 received the KB5004948 emergency patch. Thus at present, all the Windows Versions have the corresponding security updates.
Microsoft recommends that you immediately install this update on all supported Windows client and server operating system, starting with devices that currently host the print server role. (…) You also have the option to configure the RestrictDriverInstallationToAdministrators registry setting to prevent non-administrators from installing signed printer drivers on a print server. For more information, see KB5005010.
Microsoft is yet to confirm if these patches really work or not, taking into consideration the researchers’ proof that KB5004945 does not address PrintNightmare properly, as the company declared that they are aware of the claims, but that they are not aware of any bypasses.