cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
bretzeli
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 1 of 8

ENS 10.7 Servers CVE-2021-1675 Print Spooler 0DAY Amcore? IPS Rule?

Jump to solution

01.07.2021, 09:50

@Former Member

ENS 10.7 Servers CVE-2021-1675 Print Spooler 0DAY Amcore? IPS Rule? Expert Rule?

URGENT: Disable Print Spooler on all Sensitive Server where no PRINT JOBS

 

- Domain Controller

- Exchange

- Backup Servers

 

 

 

NVD - CVE-2021-1675 (nist.gov)

1 Solution

Accepted Solutions
AdithyanT
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 8 of 8

Re: ENS 10.7 Servers CVE-2021-1675 Print Spooler 0DAY Amcore? IPS Rule?

Jump to solution

Hi All,

Closing the loop with the advisory document that explains the work around with Expert Rule:

McAfee coverage for June 2021 CVE-2021-1675 and CVE-2021-34527 PrintNightmare vulnerabilities.

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Adithyan T

View solution in original post

7 Replies
bretzeli
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 2 of 8

Re: ENS 10.7 Servers CVE-2021-1675 Print Spooler 0DAY Amcore? IPS Rule?

Jump to solution

Something Like for Windows Defender?

 

let serverlist=DeviceInfo
| where DeviceType != "Workstation"
| distinct DeviceId;
let suspiciousdrivers=DeviceImageLoadEvents
| where DeviceId in (serverlist)
| where FolderPath startswith @"c:\windows\system32\spool\drivers"
| distinct SHA1
| invoke FileProfile(SHA1, 1000)
| where GlobalPrevalence < 50 and IsRootSignerMicrosoft != 1 and SignatureState != "SignedValid";
suspiciousdrivers
| join kind=inner (DeviceImageLoadEvents
| where DeviceId in (serverlist)
| where FolderPath startswith @"c:\windows\system32\spool\drivers") on SHA1
| where InitiatingProcessFileName != "ccmexec.exe"

Tares1
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 3 of 8

Re: ENS 10.7 Servers CVE-2021-1675 Print Spooler 0DAY Amcore? IPS Rule?

Jump to solution

Hello @bretzeli 

Thank you for reaching out to us in the support community.

This vulnerability is under investigation with our exploit prevention team. I recommend opening a support case for updates on it.

 

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Tiago A

Re: ENS 10.7 Servers CVE-2021-1675 Print Spooler 0DAY Amcore? IPS Rule?

Jump to solution

I would suggest a hard lockdown of the driver folder for needed DLLs at this point.  For Servers... will block spoolsv from creating drivers, so can present issues, more likely on workstations.  

 

Rule {
	Process {
		Include OBJECT_NAME { -v "**" }
	}
	Target {
		Match FILE {
			Include OBJECT_NAME { -v "C:\\Windows\\System32\\spool\\drivers\\x64\\3\\**.dll" }
			Include -access "CREATE"
		}
	}
}

 

 

 

  

Dave

Re: ENS 10.7 Servers CVE-2021-1675 Print Spooler 0DAY Amcore? IPS Rule?

Jump to solution

This blocks the exploit and I do not expect FPs from it (though I've been wrong before!). 

 

Rule {
	Process {
		Include OBJECT_NAME { -v "spoolsv.exe" }
	}
	Target {
		Match FILE {
			Include OBJECT_NAME { -v "C:\\Windows\\System32\\spool\\drivers\\x64\\3\\kernelbase.dll" }
			Include -access "CREATE"
		}
	}
}

 

bodysoda
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 6 of 8

Re: ENS 10.7 Servers CVE-2021-1675 Print Spooler 0DAY Amcore? IPS Rule?

Jump to solution

Thanks for sharing the IPS rule. 

In case above information was useful or answered your question, please select "Accept as Solution" in my reply, or give a Kudo. Thanks!
johma
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 7 of 8

Re: ENS 10.7 Servers CVE-2021-1675 Print Spooler 0DAY Amcore? IPS Rule?

Jump to solution

You can try this, 

Here is a more generic rule that should cover both LPE and RCE, but should be tested before large-scale implementation. It will prevent new print drivers from being installed, and may have more false positives than a more restricted rule.



Rule {
   Process { Include OBJECT_NAME { -v "spoolsv.exe" } }
   Target {
     Match FILE {
        Include OBJECT_NAME { -v "*\\Windows\\System32\\spool\\drivers\\**.dll" }
        Include -access "CREATE"
     }
   }
}



Was my reply helpful?


If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?
AdithyanT
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 8 of 8

Re: ENS 10.7 Servers CVE-2021-1675 Print Spooler 0DAY Amcore? IPS Rule?

Jump to solution

Hi All,

Closing the loop with the advisory document that explains the work around with Expert Rule:

McAfee coverage for June 2021 CVE-2021-1675 and CVE-2021-34527 PrintNightmare vulnerabilities.

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Adithyan T
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community