Why it matters: Microsoft's attempt to resolve the PrintNightmare vulnerability has resulted in unforeseen network printing issues. Network administrators must now decide between patching a critical vulnerability or retaining required print capabilities for their organization until further resolution is provided.
Microsoft's most recent Patch Tuesday release may have resolved the final remains of the PrintNightmare vulnerabilities, but in doing so, may have also impacted users' ability to access network printer resources. The vulnerability, identified in June 2021, provides the unwanted ability to initiate remote code executions (RCEs) via the long-plagued Windows Print Spooler.
While the latest patch did resolve the current vulnerability, it also introduced a new problem: the inability of some users to access network printers. Network administrators responsible for managing system patching have reported problems ranging from event logs recording error 4098 warnings to missing printer ports to access denied errors preventing use. The reported issues are currently being resolved by rolling back the update.
Microsoft's latest print spooler-based common vulnerability and exposure (CVE) article addressed a finding allowing attackers who successfully exploited the vulnerability to execute code with elevated privileges via remote code execution. This escalated privilege would allow the attacker to access and gain unwanted control of the target machine. Unfortunately for Microsoft, the print spooler service is no stranger to security risks and vulnerabilities. Since 2020, there have been several CVEs released related to the service.
RCE attacks are a particularly dangerous and damaging type of attack due to their invasive nature. An attacker can gain control of a target machine, manipulate programs and data, or even create new accounts with full access rights by executing malicious code. These attacks became particularly prevalent during the initial crypto-mining boom in 2017 and continue today.
Attackers use available exploits, such as web application code vulnerabilities, to install malware designed to download and run CPU-based mining programs. The programs run silently in the background, robbing unknowing users of computing resources and impacting overall usability while using the hijacked resources to illegally mine cryptocurrency.
The post-patch network printing bug has been verified across multiple models and manufacturers. However, the problem does not appear to impact those users connected to a printer via universal serial bus (USB) connections.