
A free unofficial patch has been released to protect Windows users from all new PrintNightmare zero-day vulnerabilities discovered since June.
Technical details and a proof-of-concept (PoC) exploit for a new Windows print spooler vulnerability named 'PrintNightmare' (CVE-2021-34527) was accidentally disclosed in June.
This vulnerability allows remote code execution and local privilege escalation by installing malicious printer drivers.
While Microsoft released a security update for the remote code execution portion, researchers quickly bypassed the local privilege elevation component. Since then, Security researcher and Mimikatz creator Benjamin Delpy has been devising further vulnerabilities targeting the print spooler that remain unpatched.
These are critical vulnerabilities as they allow anyone to gain SYSTEM privileges on a local device, even a Domain Controller, simply by connecting to a remote Internet-accessible print server and installing a malicious print driver.
Once a threat actor gains SYSTEM privileges, it is game over for the system. If this is done on a Domain Controller, then the threat actor now effectively controls the Windows Domain.
Free PrintNightmare micropatch released
Mitigations for the zero-day PrintNightmare vulnerabilities are already available through the 'PackagePointAndPrintServerList' group policy, which allows you to specify a white list of approved print servers that can be used to install a print driver.
Enabling this policy, along with a fake server name, will effectively block Delpy's exploits as the print server will be blocked.
However, for those who want to install a patch and not try to understand advisories and fiddle with group policies, the 0patch micropatching service has released a free micropatch that can be used to fix all known PrintNightmare vulnerabilities.
"We therefore decided to implement the group policy-based workaround as a micropatch, blocking Point and Print printer driver installation from untrusted servers. This workaround employs Group Policy settings: the "Only use Package Point and Print" first requires every printer driver is in form of a signed package, while the "Package Point and print - Approved servers" limits the set of servers from which printer driver packages are allowed to be installed." Kolsek explains in a blog post.
"These settings are configurable via registry. Our patch modifies function DoesPolicyAllowPrinterConnectionsToServer in win32spl.dll such that it believes that PackagePointAndPrintOnly and PackagePointAndPrintServerList values exist and are set to 1, which enables both policies and keeps the list of approved servers empty."
You need to register a 0patch account and then install an agent on your Windows device to install the patch. Once installed, 0patch will automatically protect you from the PrintNightmare vulnerability and other unpatched bugs.

Source: BleepingComputer
In a test by BleepingComputer, once installed, if you attempt to install Delpy's malicious PrintNightmare driver, a message will appear stating that a policy has blocked the computer from connecting to the print queue, as shown below.

Source: BleepingComputer
While 0patch is an essential tool for blocking unpatched vulnerabilities, Delpy says that, in this particular case, enabling the group policies that blocks exploitation of all known PrintNightmare bugs might be a better approach.
"If you push binaries to a computer to push settings … you can also push settings," Delpy told BleepingComputer.
"Doing so avoids altering process in memory, always a dangerous stuff that security product don't like (and MS does not support...)."
Comments
storkinsj - 1 year ago
Great info.
A comment:
"Doing so avoids altering process in memory, always a dangerous stuff that security product don't like (and MS does not support...)."
Releasing Zero days without clear mitigation plans available to customers is many times more dangerous. Expecting Users to understand and apply settings at home through domain policies- Ridiculous.
At least mom and pop can run 0patch and get covered when these software updates are not available. These patches aren't dangerous- they are small and thus trivial to code-inspect for problems, and ONLY touch the code in question. This allows patches to beat the releases to the punch because of the reduced regression risk. This reduces risk for everyone involved including Delphy. Delphy should think about releasing 0patches with his research. That gets Microsoft going while protecting people from the collateral damage of his research.
NoneRain - 1 year ago
Home users shouldn't need these mitigations in most cases, tho.
To be affected, they would need to connect to infected print servers...
This is something to fear in enterprises, since it's a SYSTEM scalation that could easily spread laterally, but only if the print server was compromised in the first place. The threat actors need to deploy a malicious print driver with trusted Authenticode cert., mostly by infecting the print servers if they were exposed to internet, or as a "step" to just grow on the network that is already infected.
NoneRain - 1 year ago
That said, MS SHOULD need release a fix (a complete one) via WU, and not as a mitigation in a KB article.
FastEddie767 - 1 year ago
0Patch releasing this is great and I applaud them for giving it away for free, but since this is a enterprise issue, I wish they had a way to roll this out via GPO.
freon - 1 year ago
Why is it necessary to patch win32spl.dll? Can't the same thing be done by importing registry settings?