PrintNightmare Has Become a True Nightmare

Blog / PrintNightmare Has Become a True Nightmare

The patch that wasn’t a patch.

Last week we did an article about a vulnerability nicknamed PrintNightmare. I described things a bit but also gave reassurances that a patch was in the works, which was duly released late last week.

Sadly, the patch Microsoft released didn’t actually fix the vulnerability. Shortly after the patch was released, security researchers found that it was only a partial fix that could easily be bypassed simply by passing data in a slightly different (but still standard) format. Worse still, due to some of the changes made, some users have reported actually having issues with their printing now (although that seems to be rare). This is an even bigger problem since there is now code on Github that can accomplish a full Domain Controller takeover.

Just to recap what PrintNightmare is about, there is a printer-related service in Windows called the printspooler. Regardless of whether you’re printing a hardcopy or directly to a file, Windows hands the job off to the printspooler to deal with the specifics.

However, even if you don’t have any printer options setup on your system, printspooler is still running in the background by default. The only way to shut it down is to manually stop the service. This means the potential attack surface for this attack is every computer running windows (which is huge).

The attack itself sends your printspooler specially-formatted data that it then executes with the same privileges as the printspooler service itself. Those are system-level privileges though, which means you could potentially get this service to do pretty much anything at all. You’re not supposed to be able to format your hard drive by asking your printer to do it.

The million dollar question: How big of a deal is this PrintNightmare? Like, for real this time?

The answer depends on how secure your environment is. For example, schools have wide networks with lots of users and network printing is rampant, so to them this vulnerability is massive. As a result, several universities have disabled network printing, which has caused massive disruption on their networks. Thankfully, unless you are a school, such drastic action probably isn’t necessary.

So, what should you do about this situation?

1) Install the currently available patch.

It’s not perfect, but it does provide some level of protection at least. As the saying goes, it’s better than nothing.

2) Keep an eye out for the next patch

At some point Microsoft will release another patch that hopefully fixes this issue for good. When they do, go ahead and consider that an important update and install it according to whatever rules you have in your patch management policy for important/critical updates. (You do have an official policy regarding important software updates, right?)

3) Should you take further action?

This mostly depends on if you have anonymous or otherwise untrackable users running around your network (basically the same situation that schools have to face). If there are so many users on your network that trying to find out which print job changed users passwords would be a herculean effort likely to fail, then you should consider drastic alternatives. Fortunately most smaller organizations don’t have this issue.

If you do have concerns, you could make sure that Windows Firewall has rules enabled to prevent inbound communication for printing. These rules are setup automatically when you enable network printing and shouldn’t interfere with your ability to print, though some issues may crop up depending on how printing is handled in your network. Thankfully, unlike the issue found recently in Exchange, most places don’t have their printers connected directly to the internet. Attackers first need to penetrate your network and get inside before this vulnerability can be exploited, so a well-defended network should be safe.

Even if you prevent attackers from remotely using a printer, they can perform the same attack locally. Really the only way to get complete protection is to completely disable the printspooler service, which will prevent you from printing anything. At this point, the codename PrintNightmare seems pretty accurate.

Issues like this help illustrate two important concepts, specifically the importance of applying patches and the importance of monitoring them. After all, if you learned about PrintNightmare last week and installed the patches right away, you might still think you were safe. Without continuous monitoring you might not know the patch didn’t actually fix the problem.

Today’s Shakespeare quote comes from Hamlet, “I have found the very cause of Hamlet’s lunacy!” (although in our case that cause is printspooler instead of a fatherly ghosts or Ophelia’s rejection.)

If you have any questions about your PrintNightmare vulnerability, please reach out to your TRINUS Account Manager for some stress-free IT.

 

By Kind, Courtesy of Your Friendly Neighbourhood Cyber-Man.

/Partners /Systems /Certifications

TRINUS is proud to partner with industry leaders for both hardware and software who reflect our values of reliability, professionalism and client-focused service.