21. October 2021

Printer mapping with deviceTRUST and Microsoft’s patch for CVE-2021-34527 – aka “Printer Nightmare”

Microsoft recently fixed several vulnerabilities in the print spooler and coherent functions. The vulnerabilities, publicly known as “Printer Nightmare” can lead to remote code execution based on the driver installation function.

All required Information can be found at the following links:

As of today, the fix disables the possibility of automatic installation of printer drivers by users. This function has widely been used, especially in non-persistent, virtual environments. Users could map a network printer. If the required driver was not found locally, it would be installed automatically. The patches for CVE-2021-34527 limit driver installation to administrators and thus block this function for users.

As of today, the fix disables the possibility of automatic installation of printer drivers by users. This function has widely been used, especially in non-persistent, virtual environments. Users could map a network printer. If the required driver was not found locally, it would be installed automatically. The patches for CVE-2021-34527 limit driver installation to administrators and thus block this function for users.

Printer mapping with deviceTRUST

deviceTRUST enables printer mapping based on the context. With this function, you can – for example – automatically map printers to the user’s digital workspace, based on the user’s location. This way, you can assure that the user always has access to her nearest printer and enable a simple and effective follow-me-printing system.

As deviceTRUST runs the printer mapping function in the user’s context, the mitigation for “Printer Nightmare” leaves the printer mapping process nonfunctional. If the user is not allowed to map a printer, deviceTRUST cannot automate the process for them.

Workaround

Many of our customer’s environments rely on users being able to map their printers manually or automatically, even if no driver is present. With the patch for CVE-2021-34527 installed, some would need to disable the patch via registry to keep their users productive. That is not a desired situation.

deviceTRUST can help making this problem as small as possible. When using deviceTRUST for automatic printer management, additional tasks can be executed. This enables administrators to generally disable automatic driver installation. If a printer needs to be mapped, deviceTRUST would set the registry key to enable driver installation just before the mapping, map the printer and directly afterwards revoke the registry keys to the required, secure state.

This is how an example configuration would look like:

Task sequence

Registry Task 1: Sets “RestrictDriverInstallationToAdministrators” to “0” and thus allows users to install drivers for PointAndPrint.

Map Printer – ExamplePrinter: Maps an example network printer.

Registry Task 2: Reverts “RestrictDriverInstallationToAdministrators” to “1” and thus disallows users to install drivers for PointAndPrint.

You can find this configuration in our GitHub Repository: Configurations/dT_C_U_Printermapping_CVE-2021-34527.dtpol at main · deviceTRUST/Configurations (github.com)

Conclusion

For now, Microsoft’s mitigation for the security issue is a workaround. By disabling driver installation for users, the vulnerability cannot be utilized anymore. The mitigation can be disabled by setting specific registry keys.

Disabling driver installation for users leaves a lot of user environments less functional and productive.

With deviceTRUST Conditional Configuration you can keep your flexibility in printer mapping whilst maintaining a secure as possible printer mapping configuration.

 

from Sven Jansen – Pre-Sales Manager DACH