After the PrintNightmare update, I managed to find more details about how to remediate CVE-2021-34527 correctly.
How PrintNightmare works?
By sending a request to add a printer, e.g. by using RpcAddPrinterDriverEx() over SMB or RpcAsyncAddPrinterDriver() over RPC, a remote, authenticated attacker may be able to execute arbitrary code with SYSTEM privileges on a vulnerable system. A local unprivileged user may be able to execute arbitrary code with SYSTEM privileges as well.
Apply an update
Microsoft has addressed this issue in the updates for CVE-2021-34527. Note that the Microsoft update for CVE-2021-34527 does not effectively prevent exploitation of systems where the Point and Print NoWarningNoElevationOnInstall is set to a non-0 value. Microsoft indicates that systems that have NoWarningNoElevationOnInstall is set to a non-0 value are vulnerable by design.
Workaround
For systems that do not have the CVE-2021-34527 installed, or have Point and Print configured insecurely, please consider the following workarounds:
- Stop and disable the Print Spooler service
- Disable inbound remote printing through Group Policy (Print Spooler service must be restarted)
- Block RPC and SMB ports at the firewall
- Enable security prompts for Point and Print
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint\NoWarningNoElevationOnInstall = 0UpdatePromptSettings = 0- Restrict printer driver installation ability to administrators.
Links:
- https://www.kb.cert.org/vuls/id/383432
- https://docs.microsoft.com/en-us/windows-hardware/drivers/print/introduction-to-point-and-print