PrintNightmare: Securing Your Print Infrastructure
By Scott Olswold | August 6, 2021
You have no doubt heard about the “PrintNightmare” problem in the news. It’s a class of vulnerabilities in just about every Windows-based device, including servers, desktops, and laptops. The problem is present in the print spooler service that is enabled by default and provides facilities for managing printers and printing documents.
This particular story started on June 8th when Microsoft’s weekly set of patches included a fix for CVE-2021-1675, a flaw in the print spooler service that allowed an attacker to exploit a local privilege escalation (LPE) vulnerability and execute malicious code using the print spooler service.
This is not the first time such a vulnerability has been identified and patched. There’s a long history of attackers using the print spooler service as an entry point to compromise systems. For example, the infamous Stuxnet malware that affected the Iranian nuclear facilities in 2010 used a similar mechanism.
So, what has this got to do with PrintNightmare? Well, it was the actions of a security researcher looking at June’s printer server patch that led to its discovery.
The Print Nightmare Story
What is the Problem?
A vulnerability in Microsoft’s print spooler software was identified on July 1st in CVE-2021-34527, which was dubbed “PrintNightmare.” This is distinct from the previous month’s disclosure with a different attack vector but through the same print spooler service. Any remote network access can exploit this vulnerability, while the earlier CVE-2021-1675 can be thought of as a local version of PrintNightmare. It allows an attacker to gain remote access and execute malicious code with privileged access rights. Exploiting this Remote Code Execution (RCE) means they effectively control the affected system to steal sensitive data passively or disrupt operations.
What is a Print Spooler Service?
In essence, the printer spooler service manages the connection and operation of any printer connected to a Windows-based device. It downloads and installs the printer drivers needed to allow the device to talk to any printer in its specific language, irrespective of the protocols used by the manufacturer of the printer. It manages print jobs, documents sent by the device to the printer by organizing the queueing of jobs, ordering queued jobs by priority, buffering the data into the printer’s memory.
Domain controllers often also use the same printer spooler service to manage the addition and removal of printers to a network. Domain controllers inherently run with system privileges, manage security authentication requests within a computer network domain, and allow host access to domain resources. As a result, any authenticated user can remotely connect to a domain controller’s print spooler service, a significant weakness at the core of the network’s security controls.
The print spooler service also allows any device running a Windows operating system to act as a print client, printing to a local printer, or as a print server, allowing any networked devices to access its local printer. Its problem is that we have grown used to connecting a new printer anywhere on a network and reasonably painlessly using that printer from any device connected to that network. This useability is down to the privileged access that the print spooler service has across the entire network, bypassing security controls and offering the ability to update printer drivers to the latest version automatically.
So, what is the Risk with PrintNightmare?
The problem with the PrintNightmare vulnerability is that an attacker external to the network can upload malicious code disguised as a Dynamic-link library (DLL) and execute this with administrator privileges across the network. Additionally, this flaw provides an entry point for uploading additional malicious programs or exfiltrating sensitive information.
The concern with PrintNightmare is that such code is already in existence thanks to a security researcher publishing a proof of concept for June’s patched LPE vulnerability that identified the presence of July’s RCE vulnerability. While Microsoft has issued an emergency patch for this second flaw, it’s safe to say that copies of the proof of concept code will be circulating amongst the hacker community and probably being exploited.
Is that the End of the Story?
Sadly the “PrintNightmare” vulnerability may have been patched, but more flaws in the Windows print spooler service have been identified – and more will be discovered.
The latest, CVE-2021-34481, identifies a critical elevation of local privileges. Another potential defect with a possible RCE exploit has been reported but is yet to be assigned a CVE number. The official advice for the short-term fix is to stop and disable the print spooler service on all devices until this flaw is patched.
Update 8/13/2021: we address a new one, CVE-2021-36958, on our Community site.
The downside of the recommended advice is that you will lose the ability to print until all security patches are applied. Also, it won’t plug the holes from the vulnerabilities that are not yet patched. Although the various short term fixes published on the internet are temporary solutions, a long term solution is essential to protect your infrastructure effectively.
Long Term Protective Measures Against PrintNightmare
Option 1: Patching and Praying
Keeping up to date with security patches for the printer spooler service vulnerabilities will provide a level of protection. Still, it seems like it’s just a matter of time before the next PrintNightmare is found. The CVE database currently contains 37 records for the printer spooler service, and more vulnerabilities are known to have been found.
The problem is that well-resourced hackers may find and exploit a vulnerability before Microsoft is made aware of its existence and creates and distributes a security patch. This window of opportunity for the hackers means that any organization using Windows-based print servers is potentially at risk from remote attack. A well-organized, typically state-backed hacking collective will silently use such a window of opportunity to plant malware within as many vulnerable organizations as possible. This strategy enables them to complete any attack later, even when the original vulnerability has been found, patched, and resolved.
For organizations that present an attractive target to hackers, this risk may be substantial. Intellectual property and sensitive commercial information are as much a target as cash reserves. The financial or reputational cost of falling victim to an attack could result in the collapse of the business.
Option 2: Permanently Counter Windows Print Server Vulnerabilities by Moving Print Services
Windows-based print servers introduce a significant range of attack points that an attacker can exploit. Windows print server security will always contain exploitable weaknesses. Therefore, any long-term solution will need to address these if it is to be effective. Moving print services to a secure cloud-based print management solution will address all these points.
Eliminate the need for printer driver management, which often allows weak legacy communications protocols
The installed printer drivers on a network are only as secure as the technologies used to implement their communications protocols – well outside the network administrators’ control. For example, the Simple Network Management Protocol (SNMP) and other commonly used protocols are vulnerable to man-in-the-middle attacks through file replacement, proxy monitoring, or other means. This gives an attacker the ability to compromise the integrity of the server and provide the base for lateral movement and privilege escalation across the network.
Eliminate drivers and eliminate this attack surface. A cloud-based secure printing solution that does not rely on manufacturer drivers doesn’t require a network administrator to configure communications protocols, enforcing secure connectivity by default.
Avoid unconstrained network-wide access, required for print processes using allow lists and exceptions in security software that bypass protective controls
One feature of shared print queues is they require access to specific Transmission Control Protocol (TCP) ports and often require access to hidden shares and different privileged folders within the Windows operating system. This requires installed security software to blanket allow these operations across the network, open access that an attacker who has penetrated the network can exploit to extend their reach.
Eliminate the need for your network security controls to include exceptions for print services, by moving print infrastructure to the cloud, simplifying configuration and enhancing security robustness.
Default support for printers connected to devices running older operating systems allows the use of weak legacy print protocols that can be exploited
The print spooler services and their Point-and-Print functionality have been present in all Windows versions dating back to NT4 in the 1990s. As a result, they include support for legacy protocols that enable them to manage Windows clients that do not support the latest Server Message Block (SMB) and Common Internet File System (CIFS) protocols.
While this legacy support simplifies integration with older systems, it allows an attacker to exploit the inherent weaknesses in older protocols. If networks include legacy systems that cannot be upgraded, then this risk cannot be removed. Upgrading and hardening systems to eliminate this risk has the potential for introducing misconfiguration problems and compatibility issues.
Cloud-based secure printing solutions eliminate the need for your network administrator to configure print mechanisms and enforces secure protocols by default.
Remove print spoolers and servers from multi-use servers
Most typical infrastructures are not afforded the luxury of having a dedicated print server. Usually, the print server device also performs other functions such as file-sharing or an internal web server. Unfortunately, these multiple uses open the potential for vulnerabilities or misconfiguration of Access Control Lists (ACLs) or Active Directory group memberships that allow unauthorized users access to the print server function.
By replacing print servers with a cloud service, companies eliminate the associated risks that multi-use servers can create.
Encrypt all print file transmission and storage to prevent eavesdropping
The standard implementation of the printer spooler service passes data across the network in an unencrypted form where it is vulnerable to eavesdropping or interference while in transit or at rest in a temporary storage location, including within the printer.
Cloud-based secure printing solutions protect your data in transit and at rest using robust encryption algorithms managed by the solution provider.
Eliminating the Print Nightmare Risk
The fundamental problem with print servers is that they cannot be securely locked down without disabling the ability for users to print documents across a network.
The best long-term protective measure is arguably to eliminate the need for the printer spooler service from the network. This not only removes the risk but has the added benefit of reducing your infrastructure overhead and administration workload.
This is where Pharos can help. Pharos Beacon provides a completely serverless printing infrastructure that delivers both secure and direct-to-printer workflows for businesses.
Pharos Beacon as a Solution
Removing Windows-based print servers from your network may sound like a radical concept. Still, Pharos has been providing serverless printing services since 2015, using trusted technology utilized on over 2,250,000 desktops worldwide. The Pharos Beacon cloud-based print management solution replaces legacy Windows printers with a secure service that eliminates print spooler services, printer drivers, and all the vulnerabilities they bring to your infrastructure.
Adopting a centrally managed cloud print management solution will reduce the attack surface for your organization by eliminating the need for a printer spooler service to be running on every Windows-based device, including the domain controllers. The removal of the printer spooler service from a domain controller represents eliminating a significant security weakness in the network.
Being a cloud-based service, security software running on your network does not need to include print services in the allow lists and exceptions. This closes any potential holes in your security controls that an unauthorized user can exploit to transverse around your network in the search for additional vulnerabilities.
Pharos Beacon encrypts all communications channels used for print jobs to eliminate any risk of eavesdropping on an organization’s network, accessing potentially sensitive information as it transits from the end-user device to the printer. Its Secure Print facility also encrypts the data for print jobs while at rest utilizing a zero-knowledge AES-256 encryption algorithm to maximize protection.
The final and critical point is that this service does not require clients to upgrade their workstations or existing printer fleet. Instead, what it does is remove an expensive security problem from your network and improve the printing experience for your IT administrators and users alike, thanks to our best-in-class cloud technologies.
You can wake up from the PrintNightmare without turning off printing
The “PrintNightmare” story has highlighted the myriad of security issues that printer services can introduce into your business’s infrastructure. The migration to a cloud-based serverless secure printing service can eliminate not just the “PrintNightmare” risks but all future risks created by weaknesses in the Windows printer spooler services code that have yet to be found. Added benefits are compatibility with existing infrastructure and a reduced IT administration workload. The good news is that Pharos can help you achieve this painlessly and cost-effectively; everybody wins except the hackers.