How to secure vulnerable printers on a Windows network

Attackers look for unsecured printers as a point of access. Find them before they do. Here's how.

At the recent Black Hat conference, Peleg Hadar and Tumar Bar of SafeBreach Labs pointed out that the way to a network’s heart is often through its printers. In 2010, one of the vulnerabilities Stuxnet used was a remote code execution on a computer with printer sharing enabled. To reach Iran's centrifuges, Stuxnet exploited a vulnerability in the Windows Print Spooler service to gain code execution as NT AUTHORITY\SYSTEM.

The method Stuxnet used to propagate across the network is still possible. In fact, Hadar and Bar announced that the security updates that Microsoft released in August includes a fix for a printer vulnerability that they discovered. A proof of concept of their findings has been posted to GitHub along with the tools they used.

In May, Yarden Shafir and Alex Ionescu released a whitepaper called PrintDemon: Print Spooler Privilege Escalation, Persistence & Stealth that showcased the interesting ways Print Spooler can be used to elevate privileges, bypass endpoint detection and response (EDR) rules, and gain persistence. Attackers often look for new and unusual ways to attack systems. The Spooler service, implemented in Spoolsv.exe, is appealing to them becaust it runs with SYSTEM privileges and is network accessible. Shafir and Ionescu point out that attackers look for the following attack vectors:

  • Printing to a file in a privileged location, hoping Spooler will do that
  • Loading a “printer driver” that’s actually malicious
  • Dropping files remotely using Spooler RPC APIs
  • Injecting malicious “printer drivers” from remote systems
  • Abusing file parsing bugs in EMF/XPS spooler files to gain code execution

Starting in Vista, Windows does not require admin rights to install printer drivers if the driver is a pre-existing inbox driver. Absolutely no privileges are needed to install a printer driver.

Look for and patch print spooler bugs

Shafir and Ionescu advise to be alert for print spooler bugs and patch systems as soon as possible after validating the updates in your environment. You should also review the printers and their behavior in your network. Scan for any file-based ports with either Get-PrinterPort in PowerShell, or just dump HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Ports. Treat any ports that have a file path in them — especially ending in an extension such as .DLL or .EXE -- with extreme prejudice.

bradley printer Susan Bradley

Review ports in PowerShell

Keep printer drivers up to date

Review the printer status in your office regularly. Printers often open exposed vulnerabilities in your network that attackers can use. Older printer drivers are often vulnerable, and attackers can use them to inject web shells or software that introduce vulnerabilities into a system. At last year’s DEF CON conference, NCC Group researchers Mario Rivas and Daniel Romero documented issues as mild as denial-of-service vulnerabilities and as serious as buffer overflows that could lead to remote code execution. As a result of their research, these vendors released technical advisories:

If you can’t remember when you last reviewed the print server driver installed in your network, it’s time to review what version number is installed and update if necessary.

Here’s another reason to keep the drivers current: Hewlett Packard created the Printer Command Language (PCL) for its ink-jet printers in the 1980s. PCL 5 is the last version to be based on the traditional code that the computer driver sends to the printer to give it the instructions on how to print the page. PCL 6, also known as PCL-XL, is a more powerful driver that operates completely differently.

The PCL 5 driver broke with the June Windows updates. These older printer drivers have historically been more prone to Windows patching issues. The newer style of driver PCL 6, or Microsoft V4, is less prone to patch interaction. To me patching and security are interconnected. I had to upgrade all my PCL 5 style drivers to PCL 6 to be able to print after the June updates.

Scan for internet-connected printing vulnerabilities

Consumer style printers, which many work-from-home employees use with their business-provided systems, allow for wireless printing and printing via web or email. During the installation process, the user is prompted to answer a set of questions that expose the printer to various possible external attacks. Such tools as the Shodan search tool allows you (and attackers) to search the internet for open and possibly insecure devices, including vulnerable and open printers that could be abused remotely.

If you set up a device on the open internet, Hewlett Packard recommends the following guidance when setting it up:

Network options:

  • Enable TCP/IP.
  • Enable IPPs printing.
  • Disable 9100 printing.
  • Disable SLP config.
  • Disable LPD printing.
  • Disable telnet config.
  • Disable FTP printing.
  • Disable WS-Discovery.
  • Disable web services print (unless currently in use).
  • Disable TFTP configuration file.
  • Add allowed IPv4 addresses for Exchange Web Services (EWS) and print to the Access Control List. Note: If the printer is on the open internet and not configured to limit access to known IP addresses, it is open for public access and potential abuse.
  • Set encryption strength to “High”.
  • Enable HTTPS setting to encrypt all web communication: “Encrypt All Web Communication” (not including IPP).
  • Disable mDNS config. If you do not have DNS on your network, leave enabled.
  • Configure an SNMP community name and disable the default community name of “Public”.
  • Disable unused protocol stacks. HP recommends the following (unless currently in use):
    • Disable IPX/SPX.
    • Disable DLC/LLC.
    • Disable AppleTalk/Bonjour.

Security options:

  • Set the administrator password (local administrator or EWS administrator password).
  • Set the PJL security password.
  • Disable PJL device access commands.
  • Disable file system page (external) access settings:
    • Disable PJL drive access or PJL disk access.
    • Disable PS drive access or PS disk access.
  • Configure file system page options:
    • Disable PML.
    • Disable NFS access.
    • Disable Postscript.
  • Disable “Allow Stored Jobs on this device”.
  • Disable remote printer firmware updates. Note: This setting will need to be re-enabled anytime the printer firmware needs to be updated remotely:
    • Disable “Allow firmware upgrades sent as print jobs (port 9100)”.
    • Disable “Allow installation of legacy packages signed with SHA-1 Hashing algorithm”.
    • Disable “Remote Firmware Upgrade”.
  • Disable SNMP disk access or SNMP access.
  • Configure secure disk encryption mode (AES128 or AES256).

Embedded Web Server options:

  • Enable outgoing mail.
  • Enable continue button.
  • Disable print service.
  • Disable incoming mail.
  • Disable command invoke.
  • Disable command download.
  • Disable command load and execute.
  • Secure the “Information” tab (if available) or disable the following settings:
    • “Cancel Job Button”
    • “Go/Pause/Resume Button”

Web Services options:

  • Disable Web Services.
  • Disable proxy services.

Wireless options

  • Configure wireless security (if using wireless connectivity).

Printers are a weak link and entry way into many a network. Take the time to review your security posture accordingly.

Copyright © 2020 IDG Communications, Inc.

How to choose a SIEM solution: 11 key features and considerations