[German]For months, a number of vulnerabilities in the Windows Print Spooler service, which are summarized under the term PrintNightmare, have existed in all Windows versions. Microsoft has been trying to close the vulnerabilities completely since July 2021 to no avail. New problems occur after every patch. At patchday on September 14, 2021, there was another PrintNightmare fix, but it poses problems again. Here is a brief overview of the state – we can say: For some users it's a new desaster, because the printer won't work after update.
The PrintNightmare vulnerability
In early July 2021, I first reported the vulnerability CVE-2021-1675 in the Windows Print Spooler in the blog post PoC for Windows print spooler vulnerability public, high RCE risk. It is a remote code execution (RCE) vulnerability that could allow an attacker to execute arbitrary code with SYSTEM privileges. This includes installing programs, viewing, modifying or deleting data, or creating new accounts with full user privileges.
Microsoft has been trying to fix the PrintNightmare vulnerability through updates since early July 2021 (see the list of links at the end of the article). However, these attempts have failed so far, and the PrintNightmare vulnerability has been patched incompletely. In addition, there are other problems after each update, e.g. printer drivers need administrator rights for installation. The list of links at the end of the article summarizes blog posts on the topic. At the end of August 2021, I had summarized the latest status in the blog post Windows: PrintNightmare wrap-up and status (August 28, 2021).
September 2021 patches for PrintNightmare
As of September 14, 2021, Microsoft has also included the PrintNightmare vulnerability in its security updates for Windows, even though this was not explicitly mentioned in the support posts. However, I have received a security advisory from Microsoft regarding this.
CVE-2021-1678
– Windows Print Spooler Spoofing Vulnerability
– CVE-2021-1678 – Version 2.0
– Reason for Revision: CVE updated to announce that Microsoft is releasing the
September 2021 security updates for all affected versions of Windows to address
this vulnerability. Additionally, other information has been updated, including
the following: 1) The CVE title and impact have been changed to better reflect
the vulnerability. 2) FAQs have been added. 3) Acknowledgement has been updated.
– Originally posted: January 12, 2021
– Updated: September 14, 2021
CVE-2021-36958
– Windows Print Spooler Remote Code Execution Vulnerability
– CVE-2021-36958 – Version 2.0
– Reason for Revision: CVE updated to announce that Microsoft is releasing the
September 2021 security updates for all affected versions of Windows to address
this vulnerability. Additionally, other information has been updated, including the
following: 1) Executive Summary has been updated 2) Workarounds have been removed as
they are no longer applicable 3) FAQs have been updated to reflect the release of the
September 2021 security updates.
– Originally posted: August 11, 2021
– Updated: September 14, 2021
Microsoft has released new patches for the two vulnerabilities listed above as of September 14, 2021. The colleagues from Bleeping Computer have given an outline of the information in this article. Benjamin Delpi confirms in this tweet that the vulnerabilities used by his exploits no longer work.
Delpy told BleepingComputer that Microsoft disabled the CopyFiles feature by default. This could be the explanation why some printer drivers cause problems after the patch. However, there is now an undocumented group policy that administrators can use to re-enable the CopyFiles feature. To do this, the following must be entered in the Windows registry under the key:
HKLM\Software\Policies\Microsoft\Windows NT\Printers
a DWORD value CopyFilesPolicy must be added and set to 1, so that CopyFiles is enabled again. According to Delpy, this function can then still only be used with the Microsoft file C:\Windows\System32\mscms.dll.
Printing issues due to the patch
Similar to what happened back in August 2021 (see Windows: PrintNightmare wrap-up and status (August 28, 2021)), the new updates also seem to cause printer issues again. German user Andreas reported within my German blog about striking Notbook printers on Apple devices connected with a Windows Server 2019 PrintServer, which is confirmed by other readers. Blog reader Andreas Oberhof writes in this German comment on theGerman article Patchday: Windows 10-Updates (14. September 2021:
Printer problem after September update. For shared printers, suddenly the drivers are missing on the clients (win 10, current FU).
Printing is not possible. Remove printer is not possible. Adding printers is not possible. Interestingly, the problems do not exist on a terminal server in the same environment (also patched). Anyone have any ideas?
German blog reader Stefan confirms this problem on a terminal server. Blog reader Thomas describes an exotic problem that freezes the PC when debugging a printer driver – the whole thing is described here. On mewe.com I received the following feedback on the patchday post:
… the far bigger problem is: on our network, test users can now no longer connect printers and need administrative rights to do so. Right click under W10 at the print server under 2016 then wants to get drivers and bang
On Bleeping Computer's forum there is this thread about printing problems with network printers after installing update KB5005565. And on reddit.com I noticed this thread where users are also confirming printing issues due to the Sept 2021 updates. On reddit.com, this thread confirms the problem with printers on Windows Server 2012 R2 – and this reddit.com thread describes the same thing.
Addendum: In the meantime, I have received a number of reports from people who can no longer print. This affects all kinds of printers, even Zebra label printers are among them. In July 2021, Microsoft even had to withdraw a patch via KIR (see Windows 10: Microsoft fixes Zebra & Dymo printer issues caused by update (e.g. KB5004945) via KIR).
What could help
In this comment to the article Windows: PrintNightmare-Nachlese und Stand (27. August 2021) Benjamin writes that he succeeded in getting the striking devices to work again with the hints collected in the article (set up V4 drivers on the PrintServer a second time). However, this is likely to fix the problems only in isolated cases.
In the blog post I had also mentioned that you can reset the admin permissions for printer installation introduced by the August 2021 update via GPO. Microsoft has described this in support article KB5005652.
Similar article
PoC for Windows print spooler vulnerability public, high RCE risk
Windows Print Spooler Vulnerability (CVE-2021-1675, PrintNightmare) Confirmed by MS; CISA Warns
0Patch Micropatches for PrintNightmare Vulnerability (CVE-2021-34527)
Out-of-Band Update closes Windows PrintNightmare Vulnerability (July 6, 2021)
PrintNightmare out-of-band update also for Windows Server 2012 and 2016 (July 7, 2021)
The Chaos PrintNightmare Emergency Update (July 6/7, 2021)
Windows 10: Microsoft fixes Zebra & Dymo printer issues caused by update (e.g. KB5004945) via KIR
Microsoft on PrintNightmare vulnerability CVE-2021-34527: Windows is secure after patch
Patchday: Windows 10-Updates (July 13, 2021)
Patchday: Windows 8.1/Server 2012-Updates (July 13, 2021)
Patchday: Updates für Windows 7/Server 2008 R2 (July 13, 2021)
Windows vulnerability PrintNightmare: It's not over yet (July 15, 2021)
Microsoft Defender for Identity can detect PrintNightmare attacks
PrintNightmare: Point-and-Print allows installation of arbitrary files
0patch fix for new Windows PrintNightmare 0-day vulnerability (Aug. 5, 2021)
Windows PrintNightmare, next round with CVE-2021-36958
Ransomware gang uses PrintNightmare to attack Windows servers
Vice Society: 2. Ransomware gang uses Windows PrintNightmare vulnerability for attacks
Microsoft shows a "slim foot" with PrintNightmare
Windows: PrintNightmare wrap-up and status (August 28, 2021)
Patchday: Windows 10-Updates (September 14, 2021)
Patchday: Windows 8.1/Server 2012 Updates (September 14, 2021)
Patchday: Updates for Windows 7/Server 2008 R2 (September 14, 2021)