cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Re: McAfee coverage on - CVE-2021-1675 (PrintNightmare 0-day exploit)

Jump to solution

I'm not sure how your effort to exclude all the files is going, but this might work better for you if it is a struggle.  You can just exclude needed sources where spoolsv.exe needs to red from to drop a compromised file into the needed folders, rather than all the legitimate files themselves. This is confirmed to block the RCE, but should also block the LPE.

Rule {
    Process {
        Include OBJECT_NAME { -v "spoolsv.exe" }
    }
    Target {
        Match FILE {
            Include OBJECT_NAME { -v "**.dll" }
            Exclude OBJECT_NAME { 
				-v "%windir%\\System32\\**"
				-v "C:\\Program Files\\McAfee\Endpoint Security\\Threat Prevention\\IPS\\EpMPThe.dll"
				-v "C:\\Program Files\\Common Files\\McAfee\\SystemCore\\*"
				-v "C:\\Program Files\\McAfee\\MAR\\mvcairo_x64.dll"
			}
            Include -access "READ"
        }
    }
}

 

If RCE is your only concern, change the target to "\\\\**\\*.dll" and then you only need to allow print shares where drivers may load from.  

Dave

dhunt03
Level 8
Report Inappropriate Content
Message 22 of 50

Re: McAfee coverage on - CVE-2021-1675 (PrintNightmare 0-day exploit)

Jump to solution

How do I fix this error? Admittedly, this is my first attempt at an expert rule:

2021-07-07 23:17:54.553Z |Error |ApBl |mfeesp | 6864| 9916|BOPAP |ApState.cpp(287) | Syntax error: -v: Invalid number of arguments
while executing
"-v "
invoked from within
"Include OBJECT_NAME { -v
"%systemroot%\\System32\\spool\\drivers\\**\\New\\*.dll" }"
invoked from within
"Match FILE {
Include OBJECT_NAME { -v
"%systemroot%\\System32\\spool\\drivers\\**\\New\\*.dll" }
Include OBJECT_NAME { -v
..."
invoked from within
"Target {
Match FILE {
Include OBJECT_NAME { -v
"%systemroot%\\System32\\spool\\drivers\\**\\New\\*.dll" }
Include OBJECT_NAME { - ..."
invoked from within
"Rule -id "20000" {
Reaction ALLOW
Group "ExPExpertRules"
Description "PrintNightmare Exploit Monitoring 20210707"

Process {
Include OBJECT_NAM ..."
invoked from within
"Policy {

 

Rule -id "20000" {
Reaction ALLOW
Group "ExPExpertRules"
Description "PrintNightmare Exploit Monitoring 20210707"

Process {
Inclu ..."LastErr 0x000010dd The operation identifier is not valid.

Re: McAfee coverage on - CVE-2021-1675 (PrintNightmare 0-day exploit)

Jump to solution

Can I just see your exact rule?  I'm not sure from the log.  

dhunt03
Level 8
Report Inappropriate Content
Message 24 of 50

Re: McAfee coverage on - CVE-2021-1675 (PrintNightmare 0-day exploit)

Jump to solution

Hi Daveb3d,

 

Thanks for they response.

 

It was a direct copy from KB94659. Testing was accomplished by adding a printer to my machine.

 

Rule {

Process {

Include OBJECT_NAME { -v "spoolsv.exe" }

}
Target {

Match FILE {

Include OBJECT_NAME { -v "%systemroot%\\System32\\spool\\drivers\\**\\New\\*.dll" }
Include OBJECT_NAME { -v "%systemroot%\\System32\\spool\\drivers\\**\\Old\\*\\*.dll" }
Include -access "CREATE"

}

}

}

Re: McAfee coverage on - CVE-2021-1675 (PrintNightmare 0-day exploit)

Jump to solution

It compiles fine for me when I copy and pasted it from your post. Make sure you don't have a blank line or something at the top of the rule, which will cause it to fail.

Re: McAfee coverage on - CVE-2021-1675 (PrintNightmare 0-day exploit)

Jump to solution

Hello,

I added the Expert Rule to my Exploit Prevention Policy as detailed below. Presently this is in Report Mode. Would it be safe to say that if any detections occurred that information would be written to the Threat Event Log with the Event ID of 20001?

Thank you.

Re: McAfee coverage on - CVE-2021-1675 (PrintNightmare 0-day exploit)

Jump to solution

The event ID would be 18060, the Analyzer Rule ID would probably be 20001, depending upon the signature ID assigned to the rule in your policy.

Re: McAfee coverage on - CVE-2021-1675 (PrintNightmare 0-day exploit)

Jump to solution

Thank you for the quick response.

 

Re: McAfee coverage on - CVE-2021-1675 (PrintNightmare 0-day exploit)

Jump to solution

Thank you again for the quick response. So I implemented the rules as documented in the KB article and choose the option to Report rather than block. 

Within a very short amount of time, I captured 165 events across 16 workstations, There is very little information to go on as far as next steps. What would the next steps be please

I am capturing activity that is occurring in the following locations:

Threat Target File Path and Target Path

 

The Evet Log shows: message states:

NT AUTHORITY\SYSTEM ran C:\Windows\System32\spoolsv.exe, which accessed the file C:\Windows\System32\spool\drivers\x64\3\Old\1\FXSAPI.DLL, violating the rule “PrintNightmare – CVE 2021-1675”. Access was allowed because the rule wasn’t configured to block.

 

Thank you,

Re: McAfee coverage on - CVE-2021-1675 (PrintNightmare 0-day exploit)

Jump to solution

Yeah, if you used the McAfee provided rule, this isn't a surprise, honestly, as the rule is too generic. It is good for servers, but going to cause a workstation issue. You can try to tune it out, though you can probably just block anything in the OLD folder as I'm guessing it isn't really necessary, but that is 100% a guess.  

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community