cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
AdithyanT
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 1 of 6

ENS coverage for CVE 2021-1675 PrintNightmare coverage

Jump to solution

Hi All,

McAfee is aware of CVE-2021-1675, otherwise known as “PrintNightmare.”  Our immediate recommendation is to disable the print spooler service on all servers in your environment. We are investigating product countermeasures, and recommend subscribing to KB94659 - McAfee coverage for June 2021 CVE-2021-1675 PrintNightmare vulnerability for updates.

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Adithyan T
2 Solutions

Accepted Solutions
AdithyanT
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 6

Re: ENS coverage for CVE 2021-1675 PrintNightmare coverage

Jump to solution

The work around as described in KB94659:

In response to the identified vulnerability, McAfee has generated an Endpoint Security (ENS) Expert Rule that can prevent exploitation and allow monitoring of this vulnerability. This rule detects when files are written from the spool service into the directory that known exploits are using to drop files on victim systems.

ENS Expert Rule:

NOTE: Before you implement the recommendation below, you must test the rule thoroughly. Thorough testing ensures rule integrity. It also makes sure that no legitimate application, in-house developed, or otherwise, is deemed malicious and prevented from functioning in your production environment. You can set the suggested rule in report-only mode for testing purposes to check whether it causes any conflict in your environment, and to monitor for the target behavior without blocking. After you determine the rule does not block any activity from legitimate applications, you can set the rule to block and apply the setting to relevant systems.


Rule {

Process {
Include OBJECT_NAME { -v "spoolsv.exe" }
}
Target {
Match FILE {
Include OBJECT_NAME { -v "%systemroot%\\System32\\spool\\drivers\\**\\New\\*.dll" }
Include OBJECT_NAME { -v "%systemroot%\\System32\\spool\\drivers\\**\\Old\\*\\*.dll" }
Include -access "CREATE"
}
}
}



To disable PrintSpooler through Group Policy Objects (Recommended for servers, except dedicated print servers):

NOTE: Disabling the print spooler service disables the ability to print both locally and remotely.

  1. Modify your Global Policy Object (GPO) or create a GPO to manage this setting.
  2. When you edit the GPO, go to Computer ConfigurationPoliciesWindows SettingsSystem Services, Print Spooler.
  3. Right-click the Print Spooler System Service option, and select Properties.
  4. Set the System Service to Disabled.

To block only the remote attack vector, administrators can disable inbound remote printing through Group Policy Objects (Recommended for workstations):

  1. Modify your Global Policy Object (GPO) or create a GPO to manage this setting.
  2. When you edit the GPO, go to Computer Configuration, Administrative Templates, Printers.
  3. Right-click the Allow Print Spooler to accept client connections policy option, and select Edit.
  4. Set the policy to Disabled.
Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Adithyan T

View solution in original post

AdithyanT
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 6 of 6

Re: ENS coverage for CVE 2021-1675 PrintNightmare coverage

Jump to solution

Update:

Update: 

IMPORTANT: As of July 6, 2021, Microsoft has released KB5005010, an out-of-band update to address CVE-2021-34257 Remote Code Execution. This update allows organizations to restrict Print Driver installation to Administrator groups exclusively. McAfee recommends customers apply this update as soon as possible.

For more information, see the Microsoft update release article at: KB5005010 - Restricting installation of new printer drivers after applying the July 6, 2021 updates.

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Adithyan T

View solution in original post

5 Replies
AdithyanT
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 6

Re: ENS coverage for CVE 2021-1675 PrintNightmare coverage

Jump to solution

The work around as described in KB94659:

In response to the identified vulnerability, McAfee has generated an Endpoint Security (ENS) Expert Rule that can prevent exploitation and allow monitoring of this vulnerability. This rule detects when files are written from the spool service into the directory that known exploits are using to drop files on victim systems.

ENS Expert Rule:

NOTE: Before you implement the recommendation below, you must test the rule thoroughly. Thorough testing ensures rule integrity. It also makes sure that no legitimate application, in-house developed, or otherwise, is deemed malicious and prevented from functioning in your production environment. You can set the suggested rule in report-only mode for testing purposes to check whether it causes any conflict in your environment, and to monitor for the target behavior without blocking. After you determine the rule does not block any activity from legitimate applications, you can set the rule to block and apply the setting to relevant systems.


Rule {

Process {
Include OBJECT_NAME { -v "spoolsv.exe" }
}
Target {
Match FILE {
Include OBJECT_NAME { -v "%systemroot%\\System32\\spool\\drivers\\**\\New\\*.dll" }
Include OBJECT_NAME { -v "%systemroot%\\System32\\spool\\drivers\\**\\Old\\*\\*.dll" }
Include -access "CREATE"
}
}
}



To disable PrintSpooler through Group Policy Objects (Recommended for servers, except dedicated print servers):

NOTE: Disabling the print spooler service disables the ability to print both locally and remotely.

  1. Modify your Global Policy Object (GPO) or create a GPO to manage this setting.
  2. When you edit the GPO, go to Computer ConfigurationPoliciesWindows SettingsSystem Services, Print Spooler.
  3. Right-click the Print Spooler System Service option, and select Properties.
  4. Set the System Service to Disabled.

To block only the remote attack vector, administrators can disable inbound remote printing through Group Policy Objects (Recommended for workstations):

  1. Modify your Global Policy Object (GPO) or create a GPO to manage this setting.
  2. When you edit the GPO, go to Computer Configuration, Administrative Templates, Printers.
  3. Right-click the Allow Print Spooler to accept client connections policy option, and select Edit.
  4. Set the policy to Disabled.
Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Adithyan T

View solution in original post

Re: ENS coverage for CVE 2021-1675 PrintNightmare coverage

Jump to solution

Hello,

Having implemented the Expert Rule from within one of my Exploit Prevention Rules, is it safe to say that if a detection occurs, that the information would be written to the Threat Event Log with with an Event ID of 20001?

Thank you.

Re: ENS coverage for CVE 2021-1675 PrintNightmare coverage

Jump to solution

Hi,

Is It possible to exclude legitimate files hashes modifying the expert rule with something like under, to allow installation of printers we use and know :

 

Rule {
Process {
Include OBJECT_NAME { -v "spoolsv.exe" }
}
Target {
Match FILE {
Exclude MD5 {
-v "xxxxxxxxxxxxxxxxx"
-v "xxxxxxxxxxxxxxxxx"
}
Include OBJECT_NAME { -v "%systemroot%\\System32\\spool\\drivers\\**\\New\\*.dll" }
Include OBJECT_NAME { -v "%systemroot%\\System32\\spool\\drivers\\**\\Old\\*\\*.dll" }
Include -access "CREATE"
}
}
}

 

 Thank you,

best regards

Re: ENS coverage for CVE 2021-1675 PrintNightmare coverage

Jump to solution

I'm not aware of any reason that shouldn't work, but I've never tested using hash-based exclusions.

Dave

AdithyanT
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 6 of 6

Re: ENS coverage for CVE 2021-1675 PrintNightmare coverage

Jump to solution

Update:

Update: 

IMPORTANT: As of July 6, 2021, Microsoft has released KB5005010, an out-of-band update to address CVE-2021-34257 Remote Code Execution. This update allows organizations to restrict Print Driver installation to Administrator groups exclusively. McAfee recommends customers apply this update as soon as possible.

For more information, see the Microsoft update release article at: KB5005010 - Restricting installation of new printer drivers after applying the July 6, 2021 updates.

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Adithyan T

View solution in original post

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community