cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

McAfee coverage on - CVE-2021-1675 (PrintNightmare 0-day exploit)

Jump to solution
Hi Team, I would like to know if McAfee has any coverage on CVE-2021-1675 (PrintNightmare 0-day exploit). It would be helpful if you can share any expert rules for detection. Thanks in advance.
1 Solution

Accepted Solutions
Zebu
Level 9
Report Inappropriate Content
Message 6 of 50

Re: McAfee coverage on - CVE-2021-1675 (PrintNightmare 0-day exploit)

Jump to solution

Hi, This is the last update as far as I know:

https://kc.mcafee.com/corporate/index?page=content&id=KB94659

ENS Expert Rule:
 

NOTE: Before you implement the recommendation below, you must test the rule thoroughly. Thorough testing ensures rule integrity. It also makes sure that no legitimate application, in-house developed, or otherwise, is deemed malicious and prevented from functioning in your production environment. You can set the suggested rule in report-only mode for testing purposes to check whether it causes any conflict in your environment, and to monitor for the target behavior without blocking. After you determine the rule does not block any activity from legitimate applications, you can set the rule to block and apply the setting to relevant systems.
Rule class : Files


Rule {

Process {
Include OBJECT_NAME { -v "spoolsv.exe" }
}
Target {
Match FILE {
Include OBJECT_NAME { -v "%systemroot%\\System32\\spool\\drivers\\**\\New\\*.dll" }
Include OBJECT_NAME { -v "%systemroot%\\System32\\spool\drivers\\**\\Old\\*\\*.dll" }
Include -access "CREATE"
}
}
}

View solution in original post

49 Replies
Pravas
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 50

Re: McAfee coverage on - CVE-2021-1675 (PrintNightmare 0-day exploit)

Jump to solution

Hi @Satish_Talatam ,

McAfee team is currently investigating the coverage. Please check back in 48hrs.

Thanks

 

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

bretzeli
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 3 of 50

Re: McAfee coverage on - CVE-2021-1675 (PrintNightmare 0-day exploit)

Jump to solution

You need 48HRS to patch a 0DAY?

Azure Sentinel/Windows Defender something in that way. You are Tier 1? With such an answer? Please show your Line boss shortly and ask him what he says?

 

If you look at the sample for Sentinel/Windows Defender it in detail it does following 😉

* Check Not on workstations

* Make Sure it's not coming from Config Manager (Or SCCM)

* List all drivers and checks if they are signed valid

 

That's only detection the impact after you have already been hacked. That's like all the fancy SIEM Solutions like Rapid 7 (Metasploit for Managers)  when you see what happened AFTER it happened and the bomb exploded and all are dead.

Most of the times you don't need no face SIEM for that. You have an CEO-assistant who screams that's better.

Tell us how to prevent it somehow? Disable Spooler Service seems a nice approach.

let serverlist=DeviceInfo
| where DeviceType != "Workstation"
| distinct DeviceId;
let suspiciousdrivers=DeviceImageLoadEvents
| where DeviceId in (serverlist)
| where FolderPath startswith @"c:\windows\system32\spool\drivers"
| distinct SHA1
| invoke FileProfile(SHA1, 1000)
| where GlobalPrevalence < 50 and IsRootSignerMicrosoft != 1 and SignatureState != "SignedValid";
suspiciousdrivers
| join kind=inner (DeviceImageLoadEvents
| where DeviceId in (serverlist)
| where FolderPath startswith @"c:\windows\system32\spool\drivers") on SHA1
| where InitiatingProcessFileName != "ccmexec.exe"

Zebu
Level 9
Report Inappropriate Content
Message 4 of 50

Re: McAfee coverage on - CVE-2021-1675 (PrintNightmare 0-day exploit)

Jump to solution

Hello,

Any update on this so far? Thank you!

Re: McAfee coverage on - CVE-2021-1675 (PrintNightmare 0-day exploit)

Jump to solution

----

Zebu
Level 9
Report Inappropriate Content
Message 6 of 50

Re: McAfee coverage on - CVE-2021-1675 (PrintNightmare 0-day exploit)

Jump to solution

Hi, This is the last update as far as I know:

https://kc.mcafee.com/corporate/index?page=content&id=KB94659

ENS Expert Rule:
 

NOTE: Before you implement the recommendation below, you must test the rule thoroughly. Thorough testing ensures rule integrity. It also makes sure that no legitimate application, in-house developed, or otherwise, is deemed malicious and prevented from functioning in your production environment. You can set the suggested rule in report-only mode for testing purposes to check whether it causes any conflict in your environment, and to monitor for the target behavior without blocking. After you determine the rule does not block any activity from legitimate applications, you can set the rule to block and apply the setting to relevant systems.
Rule class : Files


Rule {

Process {
Include OBJECT_NAME { -v "spoolsv.exe" }
}
Target {
Match FILE {
Include OBJECT_NAME { -v "%systemroot%\\System32\\spool\\drivers\\**\\New\\*.dll" }
Include OBJECT_NAME { -v "%systemroot%\\System32\\spool\drivers\\**\\Old\\*\\*.dll" }
Include -access "CREATE"
}
}
}

View solution in original post

Re: McAfee coverage on - CVE-2021-1675 (PrintNightmare 0-day exploit)

Jump to solution

I am curious what a test plan would entail for this? 

Aside from just making sure you can still print once you have machines that have the Expert Policy applied, what else would be something to test?

Stewart
AdithyanT
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 8 of 50

Re: McAfee coverage on - CVE-2021-1675 (PrintNightmare 0-day exploit)

Jump to solution

Update: 

IMPORTANT: As of July 6, 2021, Microsoft has released KB5005010, an out-of-band update to address CVE-2021-34257 Remote Code Execution. This update allows organizations to restrict Print Driver installation to Administrator groups exclusively. McAfee recommends customers apply this update as soon as possible.

For more information, see the Microsoft update release article at: KB5005010 - Restricting installation of new printer drivers after applying the July 6, 2021 updates.

Please follow the below thread or the KBA where we keep this information updated:

https://community.mcafee.com/t5/Endpoint-Security-ENS/ENS-coverage-for-CVE-2021-1675-PrintNightmare-...

Sincerely hope this helps!

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Adithyan T
TravisNC
Level 7
Report Inappropriate Content
Message 9 of 50

Re: McAfee coverage on - CVE-2021-1675 (PrintNightmare 0-day exploit)

Jump to solution

Is there way to test the expert rule once you've added it?  Want to verify I've got my settings correct.  Would trying to install a new printer do it?

youngs
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 10 of 50

Re: McAfee coverage on - CVE-2021-1675 (PrintNightmare 0-day exploit)

Jump to solution

Hi, we have put this expert rule in place but can't figure out the syntax to exclude files that we require within our environment.

Would you or anyone be able to help me out with the syntax to exclude?  Below is what I have tried but not sure if it working correctly.

Rule {
Process {
Include OBJECT_NAME { -v "spoolsv.exe" }
}
Target {
Match FILE {
Include OBJECT_NAME { -v "%systemroot%\\System32\\spool\\drivers\\**\\New\\*.dll" }
Include OBJECT_NAME { -v "%systemroot%\\System32\\spool\\drivers\\**\\Old\\*\\*.dll" }
Exclude OBJECT_NAME { -v "C:\Windows\System32\spool\drivers\x64\3\New\FXS*.DLL" }
Exclude OBJECT_NAME { -v "C:\Windows\System32\spool\drivers\x64\3\Old\1\FXS.DLL" }
Exclude OBJECT_NAME { -v "C:\Windows\System32\spool\drivers\x64\3\New\LMUD1*.DLL" }
Exclude OBJECT_NAME { -v "C:\Windows\System32\spool\drivers\x64\3\New\SendToOneNote*.dll" }
Exclude OBJECT_NAME { -v "C:\Windows\System32\spool\drivers\x64\3\Old\1\SendToOneNote*.dll" }
Include -access "CREATE"
}
}
}

 

Any help would be great... 

Thanks Scott

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community