EEVblog Electronics Community Forum

Computing => Security => Topic started by: PerranOak on July 09, 2021, 08:57:14 am

Title: PrintNightmare nightmare
Post by: PerranOak on July 09, 2021, 08:57:14 am
Microsoft have issued a fix for the PrintNightmare vulnerability. However, I see that some people think that this update doesn’t fix it completely.

They advise some rigmarole around “point-to-print” or disabling print spooling.

Are these fixes to the fix necessary for the “ordinary” user?

I can just about cope with disabling the print spooler but that other thing …  :-//

Title: Re: PrintNightmare nightmare
Post by: ataradov on July 09, 2021, 03:48:12 pm
There was one bodged fix, that only fixed it for the demo code they were provided, but did not fix the real issue.

Then there was a second fix that supposedly fixed everything, but it is not clear if it actually does.

For now just disable print spooler, it is enough to hide the issue. Wait for a couple weeks and let them figure it out for real.
Title: Re: PrintNightmare nightmare
Post by: PerranOak on July 09, 2021, 04:31:36 pm
Will do, cheers.
Title: Re: PrintNightmare nightmare
Post by: ataradov on July 09, 2021, 05:38:06 pm
I just got an email from company's IT that a critical patch would be rolled out today. It does not say that it is for this issue, but realistically you can guess that it is.

So it looks like there is at least some trusted patch. It may be still incomplete one though.

I would still just disable the spooler. Unless you print a lot, it does not really matter.
Title: Re: PrintNightmare nightmare
Post by: PerranOak on July 10, 2021, 09:24:54 am
Cheers. It's disabled now and waiting for a "proper" patch!
Title: Re: PrintNightmare nightmare
Post by: PerranOak on July 14, 2021, 04:48:46 pm
Are we still waiting for a final patch?
Title: Re: PrintNightmare nightmare
Post by: ataradov on July 14, 2021, 05:20:05 pm
I was going to listen to Security Now on a lunch break later today, but reading the podcast notes, I see that Microsoft does not consider some of the issues to be real issue. And Point
And Print is involved here somehow.

So the current best recommendation is:
Quote

In other words, apply the out-of-band patch and be sure that the two keys noted above under HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsNT\Printers\PointAndPrint
do not exist. If you don’t know you need them, remove them for safety and security.
The optioons to remove are:
NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default setting)
UpdatePromptSettings = 0 (DWORD) or not defined (default setting)

Having NoWarningNoElevationOnInstall set to 1 makes your system vulnerable by design.

So if you or some other application did not change anything in the registry, then you are safe with the latest patches. If you have those keys and they are set to 1, then you are vulnerable and this is not going to be fixed.

It is likely that you don't have those keys, but double check to be sure. Especially given that the fixed issue is a local privilege escalation, and the other one is a remote code execution.
Title: Re: PrintNightmare nightmare
Post by: PerranOak on July 15, 2021, 10:27:08 am
Cheers.

I checked here:
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT

but there was no "Printers" sub-structure so I guess I don't have these.

Some websites talk about a "Group Policy" thing but I couldn't find it in regedit.
Title: Re: PrintNightmare nightmare
Post by: oPossum on July 15, 2021, 10:38:44 am
Some websites talk about a "Group Policy" thing but I couldn't find it in regedit.

Win-R gpedit.msc
Title: Re: PrintNightmare nightmare
Post by: ataradov on July 15, 2021, 04:58:41 pm
The registry keys are sufficient to address the issue. If you don't have them and have latest updates, you are secure.