What is the Print Nightmare threat vector?
I've researched this topic a few times and have not been able to come up with a definitive answer. It appears the threat may be multi-faceted.
I ask in the context of a standard Server/Client Windows network where end-users have shared network printers installed on their devices. Microsoft released a patch for CVE-2021-34481 (Print Nightmare) which restricts the installation of printer drivers to Administrators only. This necessarily breaks group policy printer deployments where end users have least privilege access. Microsoft provides a registry key to revert this behavior, and suggests coupling it with "Point and Print" group policy settings which restrict where the computer can install drivers from. However, they disclaimer these instructions, saying that they do not completely address the vulnerabilities in CVE-2021-34481. The problem is these vulnerabilities don't seem to be documented anywhere.
My understanding of this threat is that the Print Spooler service runs as SYSTEM (with administrative permissions). An end-user (who does not have admin permissions) is typically able to find a printer shared from another Windows computer and connect to it. During this process, the Print Spooler downloads and executes driver files from the remote computer for the printer. If the remote computer is controlled by a malicious actor, those files could contain a malicious payload which is then executed on the victim's computer.
If this is so, it would seem that implementing the settings described in the KB, including the RestrictDriverInstallationToAdministrators
registry key to 0
and using the Users can only point and print to these servers
and Package Point and Print - Approved servers
group policies would sufficiently mitigate this risk to acceptable levels.
This should, apparently, allow non-admin users to still connect to printers, but only printers that are hosted on approved servers. If so, the only remaining threats would be if the server itself is compromised, or a MITM / Spoofing type of attack occurred.
Is all of this correct? Specifically, is there another vector to this flaw apart from the end-user connecting to a shared printer? i.e. Malicious commands that can be sent to the affected workstation; Code on the workstation that could elevate permissions despite the above protections? etc...
My end goal is to not disrupt the perfectly functioning process of automatically adding/removing network printers to hundreds of corporate users through group policy.