A security bypass vulnerability exists in the way the Printer Remote Procedure Call (RPC) binding handles authentication for the remote Winspool interface. The Windows update addresses this vulnerability by increasing the RPC authentication level and introducing a new policy and registry key to allow customers to disable or enable Enforcement mode on the server-side to increase the authentication level.
To learn more about the vulnerability, see CVE-2020-1678.
To protect your environment and prevent outages, you must do the following:
Timing of updates
These Windows updates will be released in two phases:
- The initial deployment phase for Windows updates released on or after January 12, 2021.
- The enforcement phase for Windows updates released on or after June 8, 2021.
January 12, 2021: Initial Deployment Phase
The initial deployment phase starts with the Windows update released on January 12, 2021 by providing the ability for server customers to enable this increased security level on their own based on their environment's readiness.
- Addresses CVE-2020-1678 (in Deployment mode set to Off by default).
- Adds support for the RpcAuthnLevelPrivacyEnabled registry value to enable the increase of authorization level for printer IRemoteWinspool protection.
Mitigation consists of the installation of the Windows updates on all client and server-level devices.
June 8, 2021: Enforcement Phase
The June 8, 2021 release transitions into the enforcement phase. Enforcement phase enforces the changes to address CVE-2020-1678 by increasing the authorization level without having to set the registry value.
Before installing this update
You must have the following required updates installed before you apply this update. If you use Windows Update, these required updates will be offered automatically as needed.
- You must have the SHA-2 update (KB4474419) that is dated September 23, 2019 or a later SHA-2 update installed and then restart your device before you apply this update. For more information about SHA-2 updates, see 2019 SHA-2 Code Signing Support requirement for Windows and WSUS.
- For Windows Server 2008 R2 SP1, you must have installed the servicing stack update (SSU) (KB4490628) that is dated March 12, 2019. After update KB4490628 is installed, we recommend that you install the latest SSU update. For more information about the latest SSU update, see ADV990001 | Latest Servicing Stack Updates.
- For Windows Server 2008 SP2, you must have installed the servicing stack update (SSU) (KB4493730) that is dated April 9, 2019. After update KB4493730 is installed, we recommend that you install the latest SSU update. For more information about the latest SSU updates, see ADV990001 | Latest Servicing Stack Updates.
- Customers are required to purchase the Extended Security Update (ESU) for on-premises versions of Windows Server 2008 SP2 or Windows Server 2008 R2 SP1 after extended support ended on January 14, 2020. Customers who have purchased the ESU must follow the procedures in KB4522133 to continue receiving security updates. For more information on ESU and which editions are supported, see KB4497181.
Important You must restart your device after you install these required updates.
Install the update
To resolve the security vulnerability, install the Windows updates and enable Enforcement mode by following these steps:
- Deploy the January 12, 2021 update to all client and server devices.
- After all client and server devices have been updated, full protection can be enabled by setting the registry value to 1.
Step 1: Install the Windows update
Install the January 12, 2021 Windows update or a later Windows update to all client and server devices.
Important This section, method, or task contains steps that tell you how to change the registry. However, serious problems might occur if you change the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you change it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, see How to back up and restore the registry in Windows.
After all client and server devices have been updated, you can enable full protection by deploying Enforcement mode. To do this, follow these steps:
- Right-click Start, click Run, type cmd in the Run box, and then press Ctrl+Shift+Enter.
- At the Administrator command prompt, type regedit and then press Enter.
- Locate the following registry subkey:
- Right-click Print, choose New, and then click DWORD VALUE (32-bit) Value.
- Type RpcAuthnLevelPrivacyEnabled and then press Enter.
- Right-click RpcAuthnLevelPrivacyEnabled and then click Modify.
- In the Value data box, type 1 and then click Ok.
Note This update introduces support for the RpcAuthnLevelPrivacyEnabled registry value to increase the authorization level for printer IRemoteWinspool.
1: Enables Enforcement mode. Before you enable Enforcement mode for server-side, make sure all client devices have installed the Windows update released on January 12, 2021 or a later Windows update. This fix increases the authorization level for printer IRemoteWinspool RPC interface and adds a new policy and registry value on the server-side to enforce the client to use the new authorization level if Enforcement mode is applied. If the client device does not have the January 12, 2021 security update or a later Windows update applied, the printing experience will be broken when the client connects to the server through the IRemoteWinspool interface.
0: Not recommended. Disables the increase authentication level for printer IRemoteWinspool, and your devices are not protected.
0 (when registry key is not set)
Is a Restart required?
Yes, a device restart or a restart of the spooler service is required.