• Arts
  • Language Services
  • Furniture
  • Educational Services
  • Private Equity
  • Event Management
  • Nonprofit / Foundation
  • Manufacturing
  • Information Technology
  • Human Resources
  • Hotels and Restaurants
  • Health Care & Pharmaceuticals
  • Media - Broadcast and Publishing
  • Engineering / Construction
  • Food Products, Beverages and Tobacco
  • Petroleum Industry
  • Wholesale and Retail Trade
  • Travel and Leisure
  • Transporting, Moving and Warehousing
  • Telecommunications
  • Security Services
  • Real Estate
  • Marketing and Public Relations
  • Energy
  • Finance
  • Consumer Goods
  • Law Companies
  • Consultancy
  • Architecture
  • Airlines

News

Home / News / YSoft SAFEQ and printnightmare mitigation

YSoft SAFEQ and printnightmare mitigation

26.07.2021
Company: Y SOFT Corporation, a.s.

You may have heard about a security issue called “PrintNightmare” and its impact on Microsoft’s Windows Print Spooler Service. In this article we outline the issue and how to mitigate the impact when printing using YSoft SAFEQ.

On June 8, 2021 , Microsoft issued a patch for a remote code execution (RCE) vulnerability in its Windows Print Spooler service.  The issue was dubbed “PrintNightmare,” and logged as CVE-2021-1675.  On June 30, security researchers indicated that the patch did not completely resolve the vulnerability, and that the Print Spooler service was still vulnerable.


Microsoft subsequently issued an update and FAQ on July 2 indicating that the code that was publicly available was exploiting a similar, but different issue in the Windows Print Spooler.  Microsoft assigned CVE-2021-34527 to this second vulnerability and advised customers of two possible workarounds until a patch was issued.

 

UPDATE:  Microsoft has issued an out-of-band update to partially address CVE-2021-34527 in supported operating systems, with the exception of Windows 10 version 1607, Windows Server 2012, and Windows Server 2016. Customers are urged to apply these security patches as soon as possible. Since the patch only addresses the Remote Code Execution aspect, and not the local privilege escalation variant, the below advice still applies.
 

Option 1: Disable Print Spooler Service

Microsoft advised its users to disable the Print Spooler service on critical systems, such as domain controllers, until a patch could be issued, with the understanding that doing so would effectively prevent printing to or from these systems until a proper patch could be issued.

Option 2: Disable inbound printing through Group Policy Because the vulnerability exploited the function RpcAddPrinterDriverEx(), setting group policy to disable inbound printing also mitigates the vulnerability by forcing an attacker to have local access to a machine.  However, it also disallows inbound print job transmission from legitimate clients, such as in a print server environment.

HOW PRINTNIGHTMARE AFFECTS YSOFT SAFEQ SERVERS

Y Soft has found that dependency on the print spooler for our server software has several major limitations; as such, we have designed our server components to not rely on them.  With some exceptions (see below), customers can follow Microsoft’s guidance to disable the Print Spooler service on servers running YSoft SAFEQ.

Exceptions

Customers may have leveraged the Print Spooler service to share print queues out to client workstations, either through Group Policy, or through printer discovery.  Disabling the Print Spooler service in this case would prevent users from adding devices to their workstations, and without Branch Office Direct Printing enabled, a user cannot send print jobs.

The Legacy Enterprise Client (formerly the SAFEQ Client) also relies on the Print Spooler service; disabling it will prevent the Enterprise Client from accepting print jobs from users.

HOW PRINTNIGHTMARE AFFECTS YSOFT SAFEQ CLIENT WORKSTATIONS

Using traditional Windows print drivers and the YSoft SAFEQ FlexiSpooler service both depend on the Print Spooler. Disabling the Print Spooler on the client workstation will prevent the local user from printing.  Disable the ability to accept client connections in Group Policy by changing the following setting:

Administrative Templates -> Printers -> “Allow Print Spooler to accept client Connections” -> No

Doing so will reduce the attack surface to local workstations. 

YSoft SAFEQ customers who receive support directly from Y Soft can contact Y Soft support through normal channels. Customers who receive support from a Y Soft partner (service provider) can contact their service provider for additional assistance. Y Soft will update this blog post when additional information becomes available.

REFERENCES

 

NOAH NADEAU

Noah Nadeau is the Chief Information Security Officer for Y Soft globally. He is also an experienced Cajun cook, and enjoys tinkering with DIY projects in his spare time.

VIEW ALL POSTS BY NOAH NADEAU

 

Tags: IT |
Linkedin


AmCham Corporate Patrons

x
x

Delete

Are you sure? Do you really want to delete this item?