PrintNightmare: Securing Your Print Infrastructure

You have no doubt heard about the “PrintNightmare” problem in the news. It’s a class of vulnerabilities in just about every Windows-based device, including servers, desktops, and laptops. The problem is present in the print spooler service that is enabled by default and provides facilities for managing printers and printing documents.

This particular story started on June 8th when Microsoft’s weekly set of patches included a fix for CVE-2021-1675, a flaw in the print spooler service that allowed an attacker to exploit a local privilege escalation (LPE) vulnerability and execute malicious code using the print spooler service.

This is not the first time such a vulnerability has been identified and patched. There’s a long history of attackers using the print spooler service as an entry point to compromise systems. For example, the infamous Stuxnet malware that affected the Iranian nuclear facilities in 2010 used a similar mechanism.

So, what has this got to do with PrintNightmare? Well, it was the actions of a security researcher looking at June’s printer server patch that led to its discovery.

The Print Nightmare Story

What is the Problem?

A vulnerability in Microsoft’s print spooler software was identified on July 1st in CVE-2021-34527, which was dubbed “PrintNightmare.” This is distinct from the previous month’s disclosure with a different attack vector but through the same print spooler service. Any remote network access can exploit this vulnerability, while the earlier CVE-2021-1675 can be thought of as a local version of PrintNightmare. It allows an attacker to gain remote access and execute malicious code with privileged access rights. Exploiting this Remote Code Execution (RCE) means they effectively control the affected system to steal sensitive data passively or disrupt operations.

What is a Print Spooler Service?

In essence, the printer spooler service manages the connection and operation of any printer connected to a Windows-based device. It downloads and installs the printer drivers needed to allow the device to talk to any printer in its specific language, irrespective of the protocols used by the manufacturer of the printer. It manages print jobs, documents sent by the device to the printer by organizing the queueing of jobs, ordering queued jobs by priority, buffering the data into the printer’s memory.

Domain controllers often also use the same printer spooler service to manage the addition and removal of printers to a network. Domain controllers inherently run with system privileges, manage security authentication requests within a computer network domain, and allow host access to domain resources. As a result, any authenticated user can remotely connect to a domain controller’s print spooler service, a significant weakness at the core of the network’s security controls.

The print spooler service also allows any device running a Windows operating system to act as a print client, printing to a local printer, or as a print server, allowing any networked devices to access its local printer. Its problem is that we have grown used to connecting a new printer anywhere on a network and reasonably painlessly using that printer from any device connected to that network. This useability is down to the privileged access that the print spooler service has across the entire network, bypassing security controls and offering the ability to update printer drivers to the latest version automatically.

So, what is the Risk with PrintNightmare?

The problem with the PrintNightmare vulnerability is that an attacker external to the network can upload malicious code disguised as a Dynamic-link library (DLL) and execute this with administrator privileges across the network. Additionally, this flaw provides an entry point for uploading additional malicious programs or exfiltrating sensitive information.

The concern with PrintNightmare is that such code is already in existence thanks to a security researcher publishing a proof of concept for June’s patched LPE vulnerability that identified the presence of July’s RCE vulnerability. While Microsoft has issued an emergency patch for this second flaw, it’s safe to say that copies of the proof of concept code will be circulating amongst the hacker community and probably being exploited.

Is that the End of the Story?

Sadly the “PrintNightmare” vulnerability may have been patched, but more flaws in the Windows print spooler service have been identified – and more will be discovered.

The latest, CVE-2021-34481, identifies a critical elevation of local privileges. Another potential defect with a possible RCE exploit has been reported but is yet to be assigned a CVE number. The official advice for the short-term fix is to stop and disable the print spooler service on all devices until this flaw is patched.

Update 8/13/2021: we address a new one, CVE-2021-36958, on our Community site.

The downside of the recommended advice is that you will lose the ability to print until all security patches are applied. Also, it won’t plug the holes from the vulnerabilities that are not yet patched. Although the various short term fixes published on the internet are temporary solutions, a long term solution is essential to protect your infrastructure effectively.

Long Term Protective Measures Against PrintNightmare

Option 1: Patching and Praying

Keeping up to date with security patches for the printer spooler service vulnerabilities will provide a level of protection. Still, it seems like it’s just a matter of time before the next PrintNightmare is found. The CVE database currently contains 37 records for the printer spooler service, and more vulnerabilities are known to have been found.

The problem is that well-resourced hackers may find and exploit a vulnerability before Microsoft is made aware of its existence and creates and distributes a security patch. This window of opportunity for the hackers means that any organization using Windows-based print servers is potentially at risk from remote attack. A well-organized, typically state-backed hacking collective will silently use such a window of opportunity to plant malware within as many vulnerable organizations as possible. This strategy enables them to complete any attack later, even when the original vulnerability has been found, patched, and resolved.

For organizations that present an attractive target to hackers, this risk may be substantial. Intellectual property and sensitive commercial information are as much a target as cash reserves. The financial or reputational cost of falling victim to an attack could result in the collapse of the business.

Option 2: Permanently Counter Windows Print Server Vulnerabilities by Moving Print Services

Windows-based print servers introduce a significant range of attack points that an attacker can exploit. Windows print server security will always contain exploitable weaknesses. Therefore, any long-term solution will need to address these if it is to be effective. Moving print services to a secure cloud-based print management solution will address all these points.

Eliminate the need for printer driver management, which often allows weak legacy communications protocols

The installed printer drivers on a network are only as secure as the technologies used to implement their communications protocols – well outside the network administrators’ control. For example, the Simple Network Management Protocol (SNMP) and other commonly used protocols are vulnerable to man-in-the-middle attacks through file replacement, proxy monitoring, or other means. This gives an attacker the ability to compromise the integrity of the server and provide the base for lateral movement and privilege escalation across the network.

Eliminate drivers and eliminate this attack surface. A cloud-based secure printing solution that does not rely on manufacturer drivers doesn’t require a network administrator to configure communications protocols, enforcing secure connectivity by default.

Avoid unconstrained network-wide access, required for print processes using allow lists and exceptions in security software that bypass protective controls

One feature of shared print queues is they require access to specific Transmission Control Protocol (TCP) ports and often require access to hidden shares and different privileged folders within the Windows operating system. This requires installed security software to blanket allow these operations across the network, open access that an attacker who has penetrated the network can exploit to extend their reach.

Eliminate the need for your network security controls to include exceptions for print services, by moving print infrastructure to the cloud, simplifying configuration and enhancing security robustness.

Default support for printers connected to devices running older operating systems allows the use of weak legacy print protocols that can be exploited

The print spooler services and their Point-and-Print functionality have been present in all Windows versions dating back to NT4 in the 1990s. As a result, they include support for legacy protocols that enable them to manage Windows clients that do not support the latest Server Message Block (SMB) and Common Internet File System (CIFS) protocols.

While this legacy support simplifies integration with older systems, it allows an attacker to exploit the inherent weaknesses in older protocols. If networks include legacy systems that cannot be upgraded, then this risk cannot be removed. Upgrading and hardening systems to eliminate this risk has the potential for introducing misconfiguration problems and compatibility issues.

Cloud-based secure printing solutions eliminate the need for your network administrator to configure print mechanisms and enforces secure protocols by default.

Remove print spoolers and servers from multi-use servers

Most typical infrastructures are not afforded the luxury of having a dedicated print server. Usually, the print server device also performs other functions such as file-sharing or an internal web server. Unfortunately, these multiple uses open the potential for vulnerabilities or misconfiguration of Access Control Lists (ACLs) or Active Directory group memberships that allow unauthorized users access to the print server function.

By replacing print servers with a cloud service, companies eliminate the associated risks that multi-use servers can create.

Encrypt all print file transmission and storage to prevent eavesdropping

The standard implementation of the printer spooler service passes data across the network in an unencrypted form where it is vulnerable to eavesdropping or interference while in transit or at rest in a temporary storage location, including within the printer.

Cloud-based secure printing solutions protect your data in transit and at rest using robust encryption algorithms managed by the solution provider.

Eliminating the Print Nightmare Risk

The fundamental problem with print servers is that they cannot be securely locked down without disabling the ability for users to print documents across a network.

The best long-term protective measure is arguably to eliminate the need for the printer spooler service from the network. This not only removes the risk but has the added benefit of reducing your infrastructure overhead and administration workload.

This is where Pharos can help. Pharos Beacon provides a completely serverless printing infrastructure that delivers both secure and direct-to-printer workflows for businesses.

Pharos Beacon as a Solution

Removing Windows-based print servers from your network may sound like a radical concept. Still, Pharos has been providing serverless printing services since 2015, using trusted technology utilized on over 2,250,000 desktops worldwide. The Pharos Beacon cloud-based print management solution replaces legacy Windows printers with a secure service that eliminates print spooler services, printer drivers, and all the vulnerabilities they bring to your infrastructure.

Adopting a centrally managed cloud print management solution will reduce the attack surface for your organization by eliminating the need for a printer spooler service to be running on every Windows-based device, including the domain controllers. The removal of the printer spooler service from a domain controller represents eliminating a significant security weakness in the network.

Being a cloud-based service, security software running on your network does not need to include print services in the allow lists and exceptions. This closes any potential holes in your security controls that an unauthorized user can exploit to transverse around your network in the search for additional vulnerabilities.

Pharos Beacon encrypts all communications channels used for print jobs to eliminate any risk of eavesdropping on an organization’s network, accessing potentially sensitive information as it transits from the end-user device to the printer. Its Secure Print facility also encrypts the data for print jobs while at rest utilizing a zero-knowledge AES-256 encryption algorithm to maximize protection.

The final and critical point is that this service does not require clients to upgrade their workstations or existing printer fleet. Instead, what it does is remove an expensive security problem from your network and improve the printing experience for your IT administrators and users alike, thanks to our best-in-class cloud technologies.

You can wake up from the PrintNightmare without turning off printing

The “PrintNightmare” story has highlighted the myriad of security issues that printer services can introduce into your business’s infrastructure. The migration to a cloud-based serverless secure printing service can eliminate not just the “PrintNightmare” risks but all future risks created by weaknesses in the Windows printer spooler services code that have yet to be found. Added benefits are compatibility with existing infrastructure and a reduced IT administration workload. The good news is that Pharos can help you achieve this painlessly and cost-effectively; everybody wins except the hackers.

Pharos and “PrintNightmare” Windows vulnerability

July 1, 2021 — Over the last 24 hours, a zero-day exploit leveraging a vulnerability in the Windows Print Spooler Service has been publicly published and acknowledged by Microsoft. The exploit, termed “PrintNightmare” (CVE-2021-1675) does not currently have a complete fix from Microsoft.

While the vulnerability leverages the print spooler process to enable a Remote Code Execution vulnerability, the risk extends beyond printing to the underlying operating system at the desktop and server level. Some security experts and teams are suggesting disabling of the Windows Print Spooler Service.The US Cybersecurity and Infrastructure Security Agency (CISA) is recommending that administrators disable the Windows Print spooler service in Domain Controllers and systems that do not print.

Many Pharos’ Blueprint and Uniprint customers leverage the Windows Print Spooler Service as a print file transport layer to the Blueprint and Uniprint job storage services. Disabling the Print Spooler Service for these customers and end user clients will result in print interruption.

However, we recommend that all customers follow the security precautions and recommendations of your IT Security teams.

As the Pharos Beacon cloud platform does not use the Windows Print Spooler, it is unaffected by the disabling of the Spooling Service on servers (though disabling it on desktops will prevent all print from Windows).

Clients who are unsure about whether they are relying on Windows Print Spooling or looking to reduce reliance on Windows Print Spooling should contact Pharos support for guidance and support.

In the meantime, Pharos will continue to monitor the PrintNightmare vulnerability and communicate to our partners and clients as the threat evolves and as the vulnerability is eliminated.

Pharos Products and Services Unaffected by the SolarWinds Exploit

The Pharos Security Team has been watching with heightened awareness the developing cyberattack on federal and corporate computing systems by way of vulnerabilities found in several versions of the SolarWinds Orion software platform.

Pharos does not use SolarWinds Orion software for internal or cloud-based systems. We have completed an audit of all computing platforms within Pharos to ensure that the SolarWinds product is not resident on any devices within our IT infrastructure.

As such, we are confident that neither Pharos nor any of our customers are exposed to this threat by the use of Pharos products and services.

We will continue to monitor the situation and the actions and directives emerging from the joint activity of the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Office of the Director of National Intelligence (ODNI). We will embrace any actions recommended or required.

As the situation evolves, Pharos will continue to update our website and inform customers should any concerns arise related to our internal, cloud, or deployed products in customer locations.

For more information on this developing story:

A Moment of Reckoning [By Microsoft President Brad Smith]

Why Zero Trust Networks Are a Growing Trend

Summary: The security strategy of zero trust has been growing rapidly in recent years, as more corporate enterprises abandon traditional network configurations that rely on perimeter security. In today’s world of lockdowns, health anxiety, remote workers, increasing cybercrime, and too many unknowns to count, zero trust will likely emerge as the new standard for corporate security and infrastructure. Pharos is the only cloud print management solution provider that supports secure printing in zero-trust network environments.

Worldwide, business leaders are trying to adapt to a whole new economic landscape as we all learn to cope with and plan for an uncertain future, both near-term and long-term. Everything is being re-evaluated—supply chain, sales, pipeline, cloud expansion, and IT strategies for a more distributed workforce. COVID-19 has changed everything.

A New Security Paradigm

An important trend was already underway before the pandemic struck: the transition to zero trust architecture as the new standard for securing corporate networks. Zero trust is more than a singular technology or network topology, it’s a comprehensive information security paradigm that initially distrusts all users and all devices.

No one and nothing can gain access to network resources without first proving the required level of security and authorization. Zero trust involves several technologies, including policy engines, encryption, principles of least privilege, endpoint security, and more.

Internet-Only Networks

Even before the global pandemic struck, organizations were increasingly moving to Internet-only configurations for at least some segments of their network. Now that most companies have a largely remote workforce, which some companies believe is a permanent change, the Internet-only network is quickly becoming an important facet of the zero-trust strategy.

It’s called zero trust because no user, device, or application is inherently trusted.

This is completely different from the traditional “castle and moat” network configuration which relies on perimeter security and assumes that everyone (and every device) inside the network is a trusted entity.

The fundamental problem with the castle and moat concept is that it makes every endpoint on the network a prime target for attackers. Once an attacker compromises an endpoint, they are essentially inside the network, and therefore every node on that network—every workstation, every server, every printer, every database—becomes easy prey.

The moat still exists (the firewall providing perimeter security) but there’s no castle behind the moat to plunder.

In an Internet-only network, endpoints lose their value to attackers. The perimeter of the network cannot be compromised because the perimeter is segmented to surround everything. All endpoints that would otherwise be connected in an “east-west” fashion within the network are instead isolated within their own perimeters.

The only data transmission that does exist is in a “north-south” direction, and those secure connections are protected by access controls. Devices can only communicate with required services and have no line of sight to other devices.

Most hacks and malware insertions are enabled by human error. In the traditional network model where the entire network is protected by one verification point (user login credentials or a perimeter firewall), an attacker can leverage the inherent trust of the compromised endpoint to move laterally across the network to access sensitive data.

It’s called zero trust because no user, device, or application is inherently trusted. The Internet-only architecture means that lateral movement across the network is eliminated, minimizing the risk of a single endpoint being compromised.

There’s a network, but not in the traditional sense that we typically visualize. The moat still exists (the firewall providing perimeter security) but there’s no castle behind the moat to plunder.

An Accelerating Trend

According to BusinessWire, “The zero-trust security market is projected to grow from $15.6 Billion to 38.6 Billion by 2024.” Organizations are moving quickly to adopt this new security strategy, and those that have not yet started the migration process are increasingly planning to do so.

Guidance published in Gartner’s 2019 Market Guide for Zero Trust Network Access suggests that “Security and risk management leaders should plan pilot (zero trust) projects for employee and partner-facing applications.”

Now that the corporate network extends to individual homes, businesses have to find new ways to mitigate and manage risk.

In our conversations with business leaders all over the globe, this is what everyone is talking about. The time is now.

Research by IBM (published in their Cost of a Data Breach study) revealed that the average cost to a company from a single data breach is almost $4 million. As the costs of security breaches continue to increase, so too does the sophistication of cyberattacks. Together, these factors have forced companies to think differently about how to protect their data.

Replacing the conventional network with zero trust technologies has changed the game and given the advantage to the organization rather than the determined hacker.

This is the fundamental reason why zero trust networks are increasingly implemented. In addition, businesses today are more distributed and the focus on internal perimeter security has become less relevant. Zero trust networks also provide greater flexibility and scalability at much lower cost.

Solutions for a Post-Quarantine World

According to NextGov, “COVID-19 should prompt enterprises to move quickly to zero trust.” This is not about any singular technology you can easily install to transform your organization, but a completely new paradigm for security and the corporate network.

In addition to the “north-south” topology, zero-trust security also entails strict user authentication protocols, end-to-end encryption, policy enforcement, and on-device threat detection for every asset. The focus is protecting individual resources rather than network segments, a concept that is increasingly relevant in a post-quarantine world in which remote workers and cloud-based assets are the norm.

Print is a key part of the ‘everything as a service’ model and a small but important facet of the zero trust environment.

Most office workers have been working from home and many companies are likely to give people the option to remain working from home permanently. This undeniable trend amplifies the significance and urgency of zero trust concepts as businesses are forced to re-think device and data protection.

Now that the corporate network extends to individual homes, businesses have to find new ways to mitigate and manage risk. Zero trust security assumes that the network is always under attack and provides a framework to ensure that data and devices are secure given that assumption.

Print as a Service

Print is a key part of the “everything as a service” model and a small but important facet of the zero trust environment. Printing in the office has traditionally meant that employees submit print jobs from their workstations over the network to a specific printer. Or, if an on-premises secure print solution is deployed, employees submit print jobs to a virtual queue on a network print server. Either way, the workstation has to be able to connect to another device on the network.

A zero trust printing environment means there’s far less for the organization to manage itself—there are no print servers, drivers or queues for IT staff to track and manage.

But this east-west communication between endpoints does not exist in an Internet-only network. So how does printing work in this new world?

To the end-user, the printing experience is the same as it always was. Behind the scenes, however, it’s a different story. Secure cloud printing in zero trust environment means that every device that is permitted access to the system is managed by the organization with a combination of policy and technology. Print jobs are still submitted as they normally are, from whatever application the employee is using.

As the following graphic illustrates, the print job is encrypted and sent over a secure line directly to the cloud service, where it is parked until the authorized user is ready to print it. Data about the print job is captured for reporting and analytics. Only the submitting user or an authorized delegate can access the document. When the authorized user successfully authenticates at a secured printer, the printer pulls the print job from the cloud. There is no line of sight between the employee workstation and the printer.

This arrangement means that any employee, properly configured in the system, can submit print jobs from their workstation or mobile device from any network location, be it a Starbucks or their home office, and then securely release their prints when it’s convenient to do so—either by visiting the office to authenticate, print, and collect the documents, or by enabling an authorized user at the office to print and deliver the documents to a desired location.

Zero Trust Printing: More Than Your Network Framework

In addition to the network architecture, there are many other technologies and policy-based aspects of zero trust that are directly relevant to printing. For example, it’s important to disable any unsecured protocols like RAW and LPR which have long been the veins through which print data flows. For a print solution to support zero trust, it will need to work without these outdated protocols to keep the data encrypted across the network.

Shifting to zero trust and incorporating secure printing into an Internet-only landscape is likely just a matter of when, not if.

cloud-based printing environment means there’s far less for the organization to manage itself—there are no print servers, drivers or queues for IT staff to track and manage. As all cloud services do, printing with this system frees up an organization’s internal teams to focus on other areas of their business and technology landscape.

Shifting to zero trust and incorporating secure printing into your Internet-only landscape is likely just a matter of when, not if. It’s cheaper, simpler, more secure, more flexible, and more scalable. All the benefits of zero trust security and Internet-only networking extend to the printing context:

  • Secure, identity-centric access
  • Attack vectors are eliminated because lateral resources are invisible
  • Enables business agility at scale
  • Requires little ongoing maintenance

If you’re new to the concepts of zero trust security and Internet-only networking, and how print is changing to meet the needs of businesses and a more distributed workforce, we invite you to register for our June 11 Webinar, “Why Zero Trust Networks Matter.” You can also learn more about Sentry Print, our true cloud secure printing service built on AWS. The technical white paper below provides a detailed description of how Sentry Print works in an Internet-only configuration.