The PrintNightmare security vulnerability has received a comprehensive solution from a third party. Mitja Kolsek, the co-founder of the 0patch micro patching service, has released a free micro-patch that promises to address all known vulnerabilities associated with the print server bug.
Even while Microsoft is trying to mitigate the multiple risk factors that have sprung up due to the PrintNightmare security vulnerability, a third party has come forth to offer a micro-patch for the same.
PrintNightmare-based exploits and vulnerabilities are on the rise, but there has been solution ready:
A security researcher accidentally revealed a zero-day Windows print spooler vulnerability in June. The PrintNightmare vulnerability is tagged as CVE-2021-34527, and it allows Remote Code Execution (RCE) and Elevation of Privileges on a Windows PC.
Microsoft did release a security update for the Remote Code Execution portion. However, researchers quickly bypassed the Local Privilege Elevation component. Security researcher and Mimikatz creator Benjamin Delpy further weaponized the print spooler.
A quick update: We're issuing a micropatch for the "malicious printer driver LPE" found by @gentilkiwi tomorrow, and one elegant micropatch for PetitPotam shortly thereafter. Start testing 0patch now so you can quickly use it in production when needed. https://t.co/zYpzdmP9Dd
— 0patch (@0patch) August 4, 2021
Concerningly, these exploits remain unpatched, and hence, pose a serious security threat. Simply put, a simple remote print server can gain Administrator privileges.
With Administrator rights on a machine, anyone can run any command, add users, or install any software. Simply put, a remote print server effectively gives anyone, including threat actors, complete control over the system.
Free micropatches addressing the actively exploited PrintNightmare zero-day vulnerability in the Windows Print Spooler service are now available through the 0patch platform. […] Activel… via @BleepinComputer #security #tech #ThursdayThoughts https://t.co/yIlJY74loS
— AJ Durling (@Gurgling_MrD) July 22, 2021
It is important to note that mitigations for the zero-day PrintNightmare vulnerabilities already exist. Windows OS users merely need to edit the ‘PackagePointAndPrintServerList‘ group policy.
Simply create a white list of approved print servers that can install a print driver. Enabling the policy, with a fake server name, will reportedly block the latest, unpatched exploit.
0patch Micropatching Service releases a micro-patch that addresses all known PrintNightmare security vulnerabilities:
There’s a much simpler and quicker solution in the form of a micro-patch. This is ideal for Windows PC users who do not wish to play with group policies.
Mitja Kolsek, the co-founder of the 0patch micro patching service, has released a free micro-patch. He claims the patch can fix all known PrintNightmare vulnerabilities.
— Will Dormann (@wdormann) August 5, 2021
The service has detailed the information about the vulnerability and the patch in a blog post. “We, therefore, decided to implement the group policy-based workaround as a micro-patch, blocking Point and Print printer driver installation from untrusted servers. This workaround employs Group Policy settings: the “Only use Package Point and Print” first requires every printer driver is in form of a signed package, while the “Package Point and print – Approved servers” limits the set of servers from which printer driver packages are allowed to be installed.”
“These settings are configurable via registry. Our patch modifies function DoesPolicyAllowPrinterConnectionsToServer in win32spl.dll such that it believes that PackagePointAndPrintOnly and PackagePointAndPrintServerList values exist and are set to 1, which enables both policies and keeps the list of approved servers empty.”
— 0patch (@0patch) August 5, 2021
Although the micro-patch is free, Windows OS users need to register a 0patch account and then install an agent on the Windows PC to gain access to the same. Incidentally, the 0Patch service often releases free patches and fixes for bugs.
Several Windows XP and Windows 7 users rely on 0Patch to offer risk mitigations. This is simply because Microsoft has stopped supporting the operating systems.