Jul 05 2021 02:48 AM
Hi guys,
I wrote this blog post in the hope of making it possible to make decisions on how to mitigate PrintNightmare, while waiting for an official patch from Microsoft.
I hope it's useful 🙂
Jul 06 2021 10:29 PM
Jul 07 2021 11:36 PM - edited Jul 07 2021 11:39 PM
You talk to yourself like me - we are both mad - welcome to the club 🙂
There are articles you need to read here and here.
https://amp.thehackernews.com/thn/2021/07/microsofts-emergency-patch-fails-to.html
I have two thirds of my Windows 10 machines with the patch installed although M365 security portal says otherwise. The patch bumps the Windows 10 version to 10.0.x.1083 so I know they are patched.
The second link has a key that can be activated to remove the remaining vulnerability so taking Thijs Lecomte work I modified his code to create a proactive remediation script (that I am still testing).
Detection
#
Code sourced from here: https://thecollective.eu/blog/implement-workarounds-for-pinter-nightmare-with-mem/
Code copyright of THIJS LECOMTE
Code modified from here : https://support.microsoft.com/en-us/topic/kb5005010-restricting-installation-of-new-printer-drivers-after-applying-the-july-6-2021-updates-31b91c02-05bc-4ada-a7ea-183b129578a7
Detection script for Printnightmare KB5005010
Code not used but under investigation.
#>
$RegPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint"
$RegKey = "RestrictDriverInstallationToAdministrators"
$RegValue = 1
try{
if(!(Test-Path $RegPath -ErrorAction Stop)){
Write-Host "Path doesn't exist"
Exit 1
}
$key = Get-ItemProperty -Path $RegPath | Select-Object -Property $RegKey -ErrorAction Stop
if($key."$RegKey" -eq $RegValue){
Write-Host "Key has correct value"
Exit 0
}
else{
Write-Host "Key has incorrect value or doesn't exist"
Exit 1
}
}
catch{
Write-Host "Key doesn't exist"
Exit 1
}
Remediation
#
Code sourced from here: https://thecollective.eu/blog/implement-workarounds-for-pinter-nightmare-with-mem/
Code copyright of THIJS LECOMTE
Code modified from here : https://support.microsoft.com/en-us/topic/kb5005010-restricting-installation-of-new-printer-drivers-after-applying-the-july-6-2021-updates-31b91c02-05bc-4ada-a7ea-183b129578a7
Remediation script for Printnightmare KB5005010
Code not used but under investigation
#>
$RegPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint"
$RegKey = "RestrictDriverInstallationToAdministrators"
$RegValue = 1
if(!(Test-Path $RegPath -ErrorAction Stop)){
New-Item $RegPath
Write-Host "Created path"
}
try{
Set-ItemProperty -Path $RegPath -Name $RegKey -Value $RegValue
Write-Host "Key has been set"
Restart-Service -Name "Spooler" -force
Write-Host "Spooler has been reset"
}
catch{
Write-Error "Error setting key"
}
Since I am waiting on the M365 portal to determine the status of my machines and are not at this point looking at the Streaming API or the use of PowerBi (its a test tenant and I am trying to control costs. I am going to wait another 12 hours before I upload the proactive remediation which will take another 24 hours in M365 portal to see the results (really annoying Microsoft).
Be warned I am a hobbyist and in training. I am not responsible for a production environment.
If you have a DC and access to group policy you have more abilities than me. I am pure Intune.
Any feedback is better than no feedback.
Sincerely.
Leon Scott.
Jul 08 2021 02:00 AM
Hello Leon @braedachau ,
Ha ha, yes isn't it great to be mad
Yes, I'm actually about to update my blog post about the most recent discoveries.
However, I think you might have confused two things here.
KB5005010 describes how you can further enhance your security posture after applying the patch.
But it is not the one, that determines, whether the machine is still susceptible to Remote Code Execution attacks after the patch.
This is what KB5005010 is about:
What makes the machine still vulnerable to Remote Code Execution attacks even after installing the July patch is if the "NoWarningNoElevationOnInstall" value is set to 1 under the HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint key
Which maps to this (vulnerable) GP configuration:
Computer Configuration\Administrative Templates\Printers\Point and Print Restrictions is enabled and has the setting:
Security Prompts:
When installing drivers for a new connection = Do NOT show warning and elevation prompt
https://twitter.com/wdormann/status/1412813044279910416?s=20
Jul 10 2021 01:46 AM
Jul 14 2021 01:55 AM
Jul 14 2021 02:20 AM
Jul 14 2021 03:48 AM
Jul 14 2021 03:59 AM
Yes, but the setting that poses a threat = is human error.
But organizations often delay the update - i encourage quick deployments!
Thank you for the interesting topic!
Jul 14 2021 09:02 AM
Jul 14 2021 09:27 AM
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527
I think the time will not go back - well, it was revealed!