fbpx

PrintNightmare official patch is out – update now!

Printnightmare Official Patch Is Out

by 

Here’s the good news: Microsoft has released an emergency patch for the infamous PrintNightmare bug that showed up just over a week ago.

The patch is what Redmond refers to as an OOB Security Update, where OOB is short for out-of-band.

OOB is a jargon term that refers to communications that are kept separate from the usual channel you use, notably for safety reasons in case the main channel should fail or need overriding in an emergency.

In Windows update parlance, OOB refers to patches that are deemed so important that they can’t wait until the next official Patch Tuesday, which is always the second Tuesday in each calendar month. (This month, that’s 2021-07-13, which is still almost a week away.)

ICYMI, PrintNightmare is an aptly named bug that became a public danger for the unfortunate reason that a team of security researchers jumped to an incorrect conclusion:

What happened?

Briefly put, Microsoft published a Windows Print Spooler patch for a bug dubbed CVE-2021-1675, as part of the June 2021 Patch Tuesday update that came out on 2021-06-08.

Originally, the bug was reported as an elevation of privilege (EoP) vulnerability, meaning that altough attackers already on your computer could exploit the bug to promote themselves from a regular user to a system account, they couldn’t use it to break into your computer in the first place.

In the meantime, Chinese researchers preparing a paper for the 2021 Black Hat conference were working on their own bug in the Windows Print Spooler.

Theirs sounded very similar, except that it was an RCE bug, short for remote code execution, meaning that it could be used for breaking in, not merely for elevating privilege.

Given that the Chinese researchers’ bug was apparently different, they hadn’t disclosed it yet.

Later in the month, however, Microsoft admitted that CVE-2021-1675 could also be used for RCE, and updated its public advisory to say so.

Even though that meant the bug was more serious in theory, no one worried too much in practice.

After all, a patch was already available, and anyone who had installed the patch to close the EoP hole was, ipso facto, protected against the newly announced RCE hole as well.

Never assume

The researchers then apparently assumed that their bug was not original, as they had thought.

Because it had already been patched, they assumed that it would therefore not be untimely to publish their existing proof-of-concept exploit code to explain how the vulnerability worked.

What’s the chance,” we guess they asked themselves, “that two different RCE bugs, working in what sounds like exactly the same way, would be found at exactly the same time in exactly the same Windows component, namely the Print Spooler?

With hindsight, which is a wonderful thing indeed, we can compute that chance precisely: 100 percent.

Their bug was not CVE-2021-1675 at all; it was CVE-2021-34527, although no one knew that at the time, because that additional bug number was only issued later on.

Even worse, this new RCE hole wasn’t blocked by Microsoft’s Patch Tuesday update, making the published code into a publicly available, fully functional, break-and-enter exploit.

Brand new bug

In the jargon of the cybersecurity industry, the researchers had unwittingly dropped an 0-day.

(“Zero days” is the jargon for a previously unknown and unpatched security hole, because that’s how many days ahead the Good Guys were when the Bad Guys first got to hear about it.)

The researchers removed the zero-day code from the internet pretty quickly, but not quickly enough.

As Pandora found when she opened her proverbial Jar , there’s no point in trying to put secrets back in the box once they’ve escaped.

The PrintNightmare exploit code had already been copied and republished in many places, and almost every known version of Windows was at risk.

Most notably, even Domain Controllers generally have the Print Spooler running by default, so that the PrintNightmare code theoretically gave anyone who already had a foothold inside your network a way to take over the very computer that acts as your network’s “security HQ”.

An easy workaround

Fortunately, there was a 2-minute workaround for any and all Windows systems: turn off the Print Spooler and set it into disabled mode so it can’t start up again, either by accident or by design.

No Print Spooler, no attack surface; no attack surface, no security hole; no security hole, no break-and-enter point.

Unfortunately, without the Print Spooler running, you can’t print, so anyone who needed a working printer somewhere on their network working was on the horns of a dilemma: leave the Spooler running only on carefully selected servers, and watch them really carefully; or continually re-enable/print/disable the Spooler every time output was required.

What to do?

The good news is that there’s a more fundamental fix for the RCE hole available now in the form of Microsoft’s Out-of-Band (OOB) Security Update available for CVE-2021-34527.

Use Settings > Update & Security > Windows Update and install the latest update (KB5004945)

Microsoft has also published some additional precautions that Windows administrators can follow to lock down their printers more thoroughly than before.

For what it’s worth, reports currently circulating on Twitter suggest that this patch only covers the RCE (“breaking in across the network”) part of the bug, not the EoP (“increasing account privilege after you’re in”) part…

…but the patch should be nevertheless be considered critical.

As mentioned above, on an unpatched network, cybercriminals could exploit this hole to take over your entire network, starting from almost any account on almost any computer.

Oh, before we go: don’t make the same mistake as the security researchers who unleashed this zero-day code by mistake.

When it comes to cybersecurity… NEVER ASSUME!


CHECKING FOR PRINTNIGHTMARE PATCHES

If you have Sophos Central, you can use the Live Discover feature with a query we’ve published to check your whole network for PrintNightmare patches.

On your own computer, you can view your recent updates using Settings > Update & Security > Windows Update > View update history.

Below, we’re running the latest Enterprise Edition of Windows 10 (21H1), and we’ve highlighted the June 2021 Patch Tuesday update, which covers CVE-2021-1675, and the 06 July 2021 Emergency update described in this article, which covers CVE-2021-34527:

You can also list the official hotfixes on your computer from a command prompt (CMD.EXE) using the SystemInfo or WMIC commands, like this:

C:\Users\duck> systeminfo

Host Name:                 TESTING123
OS Name:                   Microsoft Windows 10 Enterprise 
OS Version:                10.0.19043 N/A Build 19043
[. . .]
Hotfix(s):                 4 Hotfix(s) Installed.
                           [01]: KB5003254
                           [02]: KB5000736
                           [03]: KB5004945  <-- Win10 PrintNightmare fix
                           [04]: KB5003742
[. . .]

C:\Users\duck> wmic qfe list brief
Description  [..]  HotFixID  [..]  InstalledOn 
Update              KB5003254      6/26/2021
Update              KB5000736      4/9/2021
Security Update     KB5004945      7/7/2021  <-- Win10 PrintNightmare fix
Security Update     KB5003742      6/24/2021

From a PowerShell prompt, you can simply use the Get-HotFix command:

PS C:\Users\duck> Get-HotFix

Source      Description      HotFixID [..]  InstalledOn
------      -----------      --------       -----------
TESTING123  Update           KB5003254      26/06/2021 
TESTING123  Update           KB5000736      09/04/2021 
TESTING123  Security Update  KB5004945      07/07/2021  <-- Win10 PrintNightmare fix
TESTING123  Security Update  KB5003742      24/06/2021 

To find out the KB number for your version of Windows, you can consult the list on Microsoft’s CVE-2021-34527 Security Update Guide.

NB. The list has 52 entries and covers 10 different hotfix numbers, from KB5004945 to KB5004959. You can download the complete list in Excel or CSV format from the relevant Security Update page.