On July 15, another remote code execution vulnerability (CVE-2021-34481) was added to the list of print spooler vulnerabilities commonly known as PrintNightmare. Microsoft has published a KB article on Aug 10 with standard guidelines to fix the Windows Print Spooler Remote Code Execution Vulnerability (CVE-2021-34481). Let’s see How to Fix CVE-2021-34481, another Windows Print Spooler Remote Code Execution Vulnerability.
The term ‘Point and Print’ refers to the capability of allowing a user to create a connection between his Windows client machine and a remote printer without providing any installation media to automatically download ll necessary files and configuration information from the print server to the client. Read more about the Point and Print here.
According to Microsoft,” This is a remote code execution vulnerability that exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”The vulnerability tracked under the CVE-2021-34527 ID allows an attacker to connect the print spooler service directly or remotely if he has limited access to the network. The attacker can get access to the operating system through the print spooler service since the Print Spooler has direct access to the kernel of the operating system. By exploiting the PrintNightmare vulnerability, the attackers can run remote code with SYSTEM privileges and ultimately attack the Domain Controller.
On Aug 10, Microsoft has completed its analysis and published a security update to address this vulnerability. Microsoft has rolled out a patch for versions of the Windows operating system and asked to install the patch immediately.Before the updates, the default behavior of Point and Print was set with the least privileges. This lets users install printer drivers without administrator privileges. Microsoft has addressed this issue by changing the default Point and Print driver installation privileges to admin. After applying the patch, users with less privileges are restricted from adding or updating printers. Only administrators can perform the task. Installation of this security update with default settings will address the publicly documented Windows Print Spooler Remote Code Execution Vulnerability (CVE-2021-34481).This update will not allow non-administrators to do the following:
Install new printers using drivers on a remote computer or server
Update existing printer drivers using drivers from remote computer or server
Note: If you are not using Point and Print, you can probably ignore this security update as this change will not affect you in any way.
There are few options if you want to override the security update changes.
Suppose you want to continue with your previous setup where you need to allow users with less privileges to install and update printer drivers. In that case, you can disable the behavior of security updates by creating a registry key. But, bear in mind, this will expose your environment to the publicly known Windows Print Spooler Remote Code Execution Vulnerability (CVE-2021-34481). We recommend using this registry feature while you adjust your environment. Microsoft has confirmed in its KB article KB5005652 that Windows updates will not set or change the registry key. You will have to set the key either before or after installing updates after Aug 10.
Registry location | HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint |
DWord name | RestrictDriverInstallationToAdministrators |
Value data | Default behavior: Setting this value to 1 or blank or if the key is not defined or not present will require administrator privilege to install any printer driver when using Point and Print. This registry key will override all Point and Print Restrictions Group Policy settings and ensure that only administrators can install printer drivers using Point and Print from a print server. Setting the value to 0 allows non-administrators to install signed and unsigned drivers to a print server but not override the Point and Print Group Policy settings. Consequently, the Point and Print Restrictions Group Policy settings can override this registry key setting to prevent non-administrators from installing signed and unsigned print drivers from a print server. |
Restart requirements | No restart is required when creating or modifying this registry value. |
You can also automate the registry settings. Follow these steps to automate the the addition of the registry value:
Open the PowerShell or cmd.exe with admin privileges.
Issue this command: reg add “HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint” /v RestrictDriverInstallationToAdministrators /t REG_DWORD /d 1 /f
Note: If you have problem in installing the printer driver with administrator privileges too, disable the ‘Package Point and Print’ Group Policy.
If your environment demands to disable the security update, the following fix can help secure your environment. However, you can’t completely address the Windows Print Spooler Remote Code Execution Vulnerability (CVE-2021-34481).
Open the Group Policy Management Console (GPMC) from Start > Administrative Tools > Group Policy Management..
In the GPMC console tree, navigate to the domain or organizational unit (OU) that stores the user accounts you want to disable the security updates.
Right-click the appropriate domain or OU, click Create a GPO in this domain, and Link it here. Enter a name for the new Group Policy Object (GPO), then click OK.
Edit the GPO that you created by right-clicking on it.
In the Group Policy Management Editor window, click Computer Configuration, click Policies, click Administrative Templates, click Local Computer Polices, and then click Printers.
Edit the Point and Print Restrictions by right click.
In the Point and Print Restrictions dialog, click Enabled.
Select the Users can only point and print to these servers checkbox.
Enter the fully qualified server names with a semicolon (;).
In the ‘When installing drivers for a new connection’ box, select Show warning and Elevated Prompt.
In the ‘When updating drivers for an existing connection’ box, select Show warning and Elevated Prompt.
Click OK.
Open the Group Policy Management Console (GPMC) from Start > Run, then type GPMC.MSC and then press Enter.
In the GPMC console tree, navigate to the domain or organizational unit (OU) that stores the user accounts you want to disable the security updates.
Right-click the appropriate domain or OU, click Create a GPO in this domain, and Link it here. Enter a name for the new Group Policy Object (GPO), then click OK.
Edit the GPO that you created by right-clicking on it.
In the Group Policy Management Editor window, click Computer Configuration, click Policies, click Administrative Templates, click Local Computer Polices, and then click Printers.
Enable Package Point and Print – Approved servers and select the Show… button.
Enter the fully qualified server names. Separate each name by using a semicolon (;).
This is how you can fix CVE-2021-34481 the Windows Print Spooler Remote Code Execution Vulnerability. It is always good to install all the security patches. It protects your environment from new emerging security vulnerabilities.
Thanks for reading this post. Please visit our site to read more about technology and cybersecurity topics.
You may also like these articles:
How To Mitigate The Print Spooler Vulnerability – PringNightmare CVE-2021-34527
How To Fix CVE-2022-22718- A Privilege Escalation Vulnerability In Windows Print Spooler
What Is Remote Code Execution? How To Prevent Remote Code Execution?
How To Fix CVE-2022-26809- A Critical RCE Vulnerability In Windows RPC Runtime
How To Fix CVE-2021-24084- Information Discloser Vulnerability In Windows 10?
Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.
“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”
"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.
BurpGPT is a cutting-edge Burp Suite extension that harnesses the power of OpenAI's language models to revolutionize web application security testing. With customizable prompts and advanced AI capabilities, BurpGPT enables security professionals to uncover bespoke vulnerabilities, streamline assessments, and stay ahead of evolving threats.
PentestGPT, developed by Gelei Deng and team, revolutionizes penetration testing by harnessing AI power. Leveraging OpenAI's GPT-4, it automates and streamlines the process, making it efficient and accessible. With advanced features and interactive guidance, PentestGPT empowers testers to identify vulnerabilities effectively, representing a significant leap in cybersecurity.
Tenable BurpGPT is a powerful Burp Suite extension that leverages OpenAI's advanced language models to analyze HTTP traffic and identify potential security risks. By automating vulnerability detection and providing AI-generated insights, BurpGPT dramatically reduces manual testing efforts for security researchers, developers, and pentesters.
Microsoft Security Copilot is a revolutionary AI-powered security solution that empowers cybersecurity professionals to identify and address potential breaches effectively. By harnessing advanced technologies like OpenAI's GPT-4 and Microsoft's extensive threat intelligence, Security Copilot streamlines threat detection and response, enabling defenders to operate at machine speed and scale.