Threat Watch

Microsoft’s Patch for PrinterNightmare Is Ineffective

On July 6th Microsoft released an out of band patch to address the issues with CVE-2021-34527 however within hours Security Researchers had found flaws in the methods that allow for continued RCE, LPE exploits, and the popular tool Mimikatz has a module added verifying the findings. The issue lies within a Microsoft Policy for “Point and Print” being enabled allowing for installation of malicious drivers. It is reported to work on Windows 7, 8, 8.1, 2008, and 2012 however 2016, 2019, and 10 require Point and Print to be configured allowing RCE. While Microsoft works on a fix they have published a workaround explaining another path to mitigation.

Subscribe to Threat Watch

Daily summaries of threats, delivered straight to your inbox!


Click Here to Subscribe to Threat Watch

ANALYST NOTES

As reported yesterday in Threat Watch 0patch has released a micropatch that is currently working to block exploit attempts. Please note that if this has been installed and additionally Microsoft’s patch applied, the 0patch is now broken. This has to do with the changes Microsoft made to the offending localspl.dll. If this is the case it is advised to follow Microsoft’s workaround and install the registry key and DWORD, HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint RestrictDriverInstallationToAdministrators and set the value to 1.

https://www.theregister.com/2021/07/07/printnightmare_fix_fail/

https://support.microsoft.com/en-us/topic/kb5005010-restricting-installation-of-new-printer-drivers-after-applying-the-july-6-2021-updates-31b91c02-05bc-4ada-a7ea-183b129578a7

Facebook Twitter Instagram Youtube Linkedin
Solutions
Become a Reseller

Industries

Resources

About

Contact Us
Contact Support