What is the Print Nightmare threat vector?

Question

I've researched this topic a few times and have not been able to come up with a definitive answer. It appears the threat may be multi-faceted.

I ask in the context of a standard Server/Client Windows network where end-users have shared network printers installed on their devices. Microsoft released a patch for CVE-2021-34481 (Print Nightmare) which restricts the installation of printer drivers to Administrators only. This necessarily breaks group policy printer deployments where end users have least privilege access. Microsoft provides a registry key to revert this behavior, and suggests coupling it with "Point and Print" group policy settings which restrict where the computer can install drivers from. However, they disclaimer these instructions, saying that they do not completely address the vulnerabilities in CVE-2021-34481. The problem is these vulnerabilities don't seem to be documented anywhere.

https://support.microsoft.com/en-gb/topic/kb5005652-manage-new-point-and-print-default-driver-installation-behavior-cve-2021-34481-873642bf-2634-49c5-a23b-6d8e9a302872

My understanding of this threat is that the Print Spooler service runs as SYSTEM (with administrative permissions). An end-user (who does not have admin permissions) is typically able to find a printer shared from another Windows computer and connect to it. During this process, the Print Spooler downloads and executes driver files from the remote computer for the printer. If the remote computer is controlled by a malicious actor, those files could contain a malicious payload which is then executed on the victim's computer.

If this is so, it would seem that implementing the settings described in the KB, including the RestrictDriverInstallationToAdministrators registry key to 0 and using the Users can only point and print to these servers and Package Point and Print - Approved servers group policies would sufficiently mitigate this risk to acceptable levels.

This should, apparently, allow non-admin users to still connect to printers, but only printers that are hosted on approved servers. If so, the only remaining threats would be if the server itself is compromised, or a MITM / Spoofing type of attack occurred.

Is all of this correct? Specifically, is there another vector to this flaw apart from the end-user connecting to a shared printer? i.e. Malicious commands that can be sent to the affected workstation; Code on the workstation that could elevate permissions despite the above protections? etc...

My end goal is to not disrupt the perfectly functioning process of automatically adding/removing network printers to hundreds of corporate users through group policy.

Answer 1

There are three distinct vulnerabilities in the PrintNightmare family:

• CVE-2021-34527, in which the print spooler service will allow a low-privilege user to install drivers from a remote printer. A malicious system can advertise itself as having a network-shared printer, and anyone who connects to it can become compromised.
• CVE-2021-1675, a separate remote code execution vulnerability in the print spooler. This is unrelated to CVE-2021-34527. In this vulnerability, an attacker can send a maliciously crafted printer install request over the network, to a print server, that causes the print spooler service to copy a file from a remote location (e.g. SMB share) as the SYSTEM user, leading to RCE. This may or may not require the remote attacker to be authenticated, depending on the system configuration.
• CVE-2021-34481, which allows a low privilege user to stage arbitrary driver files into the trusted driver store, by manipulating the cabinet (.cab) files associated with the installer package. This was initially classified as a local privilege escalation (LPE) to SYSTEM, but was later upgraded to RCE.

CVE-2021-34527 and CVE-2021-34481 affect client systems that are connecting to a remote printer. CVE-2021-1675 affects systems that share printers for clients to connect to (i.e. print servers).

It is important to note that all of these vulnerabilities can also be used for local privilege escalation; see the Concealed Position LPE toolkit for more details.

To answer your direct question:

Specifically, is there another vector to this flaw apart from the end-user connecting to a shared printer?

The MSKB you linked is explicit on this matter:

Important: There is no combination of mitigations that is equivalent to setting RestrictDriverInstallationToAdministrators to 1.

Setting RestrictDriverInstallationToAdministrators to 0 allows non-admin users to initiate printer driver installation. Configuring the "Users can only point and print to these servers" and "Package Point and Print - Approved servers" GPOs restricts the remote locations from which printer drivers can be installed, but this only prevents RCE. Critically, with RestrictDriverInstallationToAdministrators set to 0, a low privilege user can still initiate a local print driver install, elevating themselves to SYSTEM.

Additionally, on patched systems, RpcAuthnLevelPrivacyEnabled is set to 1 by default, which adds additional privilege requirements to the RPC interface that CVE-2021-1675 leverages. This has no effect on client systems, but it provides additional protection to print servers (i.e. systems that share printers for other users to connect to). In some environments this policy is disabled because it has poor compatibility with Linux systems. Disabling this policy on a system with shared printers may allow for RCE.