cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
BSharma
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 41 of 50

Re: McAfee coverage on - CVE-2021-1675 (PrintNightmare 0-day exploit)

Jump to solution

Hello Satish_Talatam,

As per SNS Notice: McAfee response to June 2021 CVE-2021-1675 "PrintNightmare" vulnerability

McAfee is aware of CVE-2021-1675, otherwise known as “PrintNightmare.”  Our immediate recommendation is to disable the print spooler service on all servers in your environment.  We are investigating product countermeasures, and recommend subscribing to KB94659 - McAfee coverage for June 2021 CVE-2021-1675 PrintNightmare vulnerability for updates.

 

Was my reply helpful?

If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

 

bretzeli
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 42 of 50

Re: McAfee coverage on - CVE-2021-1675 (PrintNightmare 0-day exploit)

Jump to solution

The SERVER 2016 Patch is still not in WSUS 07.07.2021 16:04 O'clock CET European Time. For all other systems incl. 2008R2 and W7 (FREE without ESU) you have patches:

The 06.07.2021/07.07.2021 Patches only partial fill the leak. You can still use the exploit local if you have POINT & CLICK options active in GPO (To see more than 5 printers if you search in ADS for as example).

 

 

 

 

Re: McAfee coverage on - CVE-2021-1675 (PrintNightmare 0-day exploit)

Jump to solution

What about VSE? Is there a User Defined rule crafted similar to the one done - ENS Expert Rule? Can it be done?

Stewart

Re: McAfee coverage on - CVE-2021-1675 (PrintNightmare 0-day exploit)

Jump to solution

You can use the same logic in an Access Protection Rule. Just set spoolsv.exe as the process.  The sub-rule as file, the target as the defined path and select "create" as the action to block.

 

Dave

bretzeli
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 45 of 50

Re: McAfee coverage on - CVE-2021-1675 (PrintNightmare 0-day exploit)

Jump to solution

No 

That would be the HIPS Module you have separate. But Mcafee wants all customers AWAY from HIPS (Single product) and VSE to the ENS product. By the end of the year EOL VSE.

We have several smaller customer on ENS (Server 2008R2-2019 and Citrix) like for 4 years now and works fine. Was afraid at beginning but works and works.

Starting to Migrate the bigger enterprise customer now from VSE to ENS.

 

Re: McAfee coverage on - CVE-2021-1675 (PrintNightmare 0-day exploit)

Jump to solution

Easy to say. 

VSE is sort of End of Life near, but still no replacement for VSE for Storage which requires VSE. 

As it is still not yet EOL, a User McAfee supplied defined rule should be supplied. Thanks,

Stewart
bretzeli
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 47 of 50

Re: McAfee coverage on - CVE-2021-1675 (PrintNightmare 0-day exploit)

Jump to solution

Thank you,

Even more important since all Customer who had ETP suites had to buy new complete suites like CEB Suite. I just checked "Software" Manager in EPO this morning and did see the VSE for Storage the first time as license.

If you renew a suite everybody wants to sell MVISION. Andy they complete forget such things.

Well, marketing is so bad in Europe/Switzerland from Mcafee that all customer have bought other products which they scan storage anyway (Like Netapp customers).

 

Re: McAfee coverage on - CVE-2021-1675 (PrintNightmare 0-day exploit)

Jump to solution

Two things to this.

Never got a response on VSE ruleset supplied by McAfee to address. Systems with VSE are still wide spread in many environments and any device will continue to run VSE for Storage module as part of VSE until a replacement for VSE for Storage is made available. 

Second, I am guessing this is a temporary rule to address this? Once patches are deployed it should be removed - I think. Does the rule that McAfee supplied stop the ability to load new print drivers?

Stewart

Re: McAfee coverage on - CVE-2021-1675 (PrintNightmare 0-day exploit)

Jump to solution

I thought I responded to you on VSE.

Do an Access Protection rule. The process is spoolsv.exe.  The subrule is FILE with WRITE/CREATE access. Put in the two McAfee provided paths in the Expert rule, but remove the \\ for a single \.  That will cover it in VSE.

Yes, the McAfee rule stops you from adding printers. 

Dave

Re: McAfee coverage on - CVE-2021-1675 (PrintNightmare 0-day exploit)

Jump to solution

I would like to thank Daveb3d for replying to all of our questions and providing some great information and solutions.  Thanks, Daveb3d!

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community