You have not given any consents yet.

YSoft SAFEQ and PrintNightmare Mitigation

You may have heard about a security issue called “PrintNightmare” and its impact on Microsoft’s Windows Print Spooler Service. In this article we outline the issue and how to mitigate the impact when printing using YSoft SAFEQ.
 
 
NOTE: This article has been updated on July 7, 2021 and on August 31. See the notations below.

On June 8, 2021 , Microsoft issued a patch for a remote code execution (RCE) vulnerability in its Windows Print Spooler service.  The issue was dubbed “PrintNightmare,” and logged as CVE-2021-1675.  On June 30, security researchers indicated that the patch did not completely resolve the vulnerability, and that the Print Spooler service was still vulnerable.

Microsoft subsequently issued an update and FAQ on July 2 indicating that the code that was publicly available was exploiting a similar, but different issue in the Windows Print Spooler.  Microsoft assigned CVE-2021-34527 to this second vulnerability and advised customers of two possible workarounds until a patch was issued.

UPDATE August 31, 2021: Microsoft has addressed the issues raised in the Windows print spooler remote code execution vulnerability (known as PrintNightmare) with a patch release. Y Soft recommends that customers update Windows with the latest patches. Microsoft explains the issue and provides patch links in their security vulnerability page MITRE CVE-2021-34481.

UPDATE July 7, 2021: Microsoft has issued an out-of-band update to partially address CVE-2021-34527 in supported operating systems, with the exception of Windows 10 version 1607, Windows Server 2012, and Windows Server 2016. Customers are urged to apply these security patches as soon as possible. Since the patch only addresses the Remote Code Execution aspect, and not the local privilege escalation variant, the below advice still applies.
 

Option 1: Disable Print Spooler Service

Microsoft advised its users to disable the Print Spooler service on critical systems, such as domain controllers, until a patch could be issued, with the understanding that doing so would effectively prevent printing to or from these systems until a proper patch could be issued.

 

Option 2: Disable inbound printing through Group Policy Because the vulnerability exploited the function RpcAddPrinterDriverEx(), setting group policy to disable inbound printing also mitigates the vulnerability by forcing an attacker to have local access to a machine.  However, it also disallows inbound print job transmission from legitimate clients, such as in a print server environment.

 

How PrintNightmare Affects YSoft SAFEQ Servers

Y Soft has found that dependency on the print spooler for our server software has several major limitations; as such, we have designed our server components to not rely on them.  With some exceptions (see below), customers can follow Microsoft’s guidance to disable the Print Spooler service on servers running YSoft SAFEQ.

Exceptions

Customers may have leveraged the Print Spooler service to share print queues out to client workstations, either through Group Policy, or through printer discovery.  Disabling the Print Spooler service in this case would prevent users from adding devices to their workstations, and without Branch Office Direct Printing enabled, a user cannot send print jobs.

The Legacy Enterprise Client (formerly the SAFEQ Client) also relies on the Print Spooler service; disabling it will prevent the Enterprise Client from accepting print jobs from users.

How PrintNightmare Affects YSoft SAFEQ Client Workstations

Using traditional Windows print drivers and the YSoft SAFEQ FlexiSpooler service both depend on the Print Spooler. Disabling the Print Spooler on the client workstation will prevent the local user from printing.  Disable the ability to accept client connections in Group Policy by changing the following setting:

Administrative Templates -> Printers -> “Allow Print Spooler to accept client Connections” -> No

Doing so will reduce the attack surface to local workstations.
 

YSoft SAFEQ customers who receive support directly from Y Soft can contact Y Soft support through normal channels. Customers who receive support from a Y Soft partner (service provider) can contact their service provider for additional assistance. Y Soft will update this blog post when additional information becomes available.

References

Noah Nadeau
Noah Nadeau used to be the Chief Information Security Officer for Y Soft globally before Martin Di Martini.
View all posts by Noah Nadeau

Subscribe to our newsletter

US