PrintNightmare 0-day vulnerability

Esben_D · ‎07-01-2021

Hi all,

A 0-day vulnerability has been accidentally leaked by Microsoft which affects the Print Spooler service. IT can lead to RCE and a domain takeover so it is advised to disable the service on all Domain Controllers until Microsoft released a fix. You can find more details in the PrintNightmare blog and report.

mike_carey · ‎07-09-2021

Does this report work for Windows 7 ? we have 1 mission critical workstation that still runs this and it shows as unprotected and to install KB5004946, which is a windows 10 fix. I just updated the report from your website. Windows update on that workstation shows no updates to apply.

thank you !

Esben_D · ‎07-12-2021

RKCar wrote:

My suggestion that will provide more accurate results, although still not necessarily perfect if an update fails -

Lansweeper seems to be able to query the "InstalledOn" date for an update. The overall SQL statement should check for the last reboot time, and if it is prior to the InstalledOn date, flag compliancy as negative pending a reboot.

The installed on date unfortunately doesn't provide a timestamp. While you probably can get a timestamp for the last reboot by using the uptime and the current time on the machine itself, if you install an update, you'd have to restart the machine a day later to get any certainty. For some people this is fine, others not, so I'll leave it up to people individually to add these types of extras.

Hendrik_VE · ‎07-13-2021

I recently discovered on a couple of my systems that were patched that the UBR version in the registry is only updated after the reboot, so if this field would be added to the report you could have certainty that your system is secured.

Hendrik_VE · ‎07-13-2021

FYI, to see the UBR (Update Build Revision) number in the report, you need to add the following registry key to the scanning:
Regpath: HKLM\\SOFTWARE\Microsoft\Windows NT\CurrentVersion
Regvalue: UBR

And add the following code to the report:

Select:

Replace(Replace(tblAssets.OScode, 'S', ''), 'R', '') + '.' + tRegUBR.Value As Build,
tRegUBR.Lastchanged As [Last Security Update Installed],

Join:


Left Join (Select tblRegistry.AssetID,
        tblRegistry.Value,
        tblRegistry.Valuename,
        tblRegistry.Lastchanged
      From tblRegistry
      Where tblRegistry.Valuename Like '%UBR%' And
        tblRegistry.Regkey Like '%CurrentVersion%') As tRegUBR On
    tblAssets.AssetID = tRegUBR.AssetID

Esben_D · ‎07-13-2021

The report has been updated to also check for a registry key recommended by the Microsoft KB5005010 article.

Registry Settings: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint

NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default setting)
UpdatePromptSettings = 0 (DWORD) or not defined (default setting)

Later today it will get one last update to include today's Patch Tuesday KB updates.

Esben_D · ‎07-16-2021

Another vulnerability has been found in the Print Spooler Service, so I've created another Print Spooler service report and updated the original blog post.

PrintNightmare 0-day vulnerability

New to Lansweeper?

Try Lansweeper For Free

Wannacry & Adylkuzz: MS17-010 Windows computers that are potentially vulnerable

Meltdown and Spectre

Ransomware: MS17-010 Windows computers that are potentially vulnerable