As per SNS Notice: McAfee response to June 2021 CVE-2021-1675 "PrintNightmare" vulnerability
McAfee is aware of CVE-2021-1675, otherwise known as “PrintNightmare.” Our immediate recommendation is to disable the print spooler service on all servers in your environment. We are investigating product countermeasures, and recommend subscribing to KB94659 - McAfee coverage for June 2021 CVE-2021-1675 PrintNightmare vulnerability for updates.
Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!
The SERVER 2016 Patch is still not in WSUS 07.07.2021 16:04 O'clock CET European Time. For all other systems incl. 2008R2 and W7 (FREE without ESU) you have patches:
The 06.07.2021/07.07.2021 Patches only partial fill the leak. You can still use the exploit local if you have POINT & CLICK options active in GPO (To see more than 5 printers if you search in ADS for as example).
You can use the same logic in an Access Protection Rule. Just set spoolsv.exe as the process. The sub-rule as file, the target as the defined path and select "create" as the action to block.
That would be the HIPS Module you have separate. But Mcafee wants all customers AWAY from HIPS (Single product) and VSE to the ENS product. By the end of the year EOL VSE.
We have several smaller customer on ENS (Server 2008R2-2019 and Citrix) like for 4 years now and works fine. Was afraid at beginning but works and works.
Starting to Migrate the bigger enterprise customer now from VSE to ENS.
Easy to say.
VSE is sort of End of Life near, but still no replacement for VSE for Storage which requires VSE.
As it is still not yet EOL, a User McAfee supplied defined rule should be supplied. Thanks,
Even more important since all Customer who had ETP suites had to buy new complete suites like CEB Suite. I just checked "Software" Manager in EPO this morning and did see the VSE for Storage the first time as license.
If you renew a suite everybody wants to sell MVISION. Andy they complete forget such things.
Well, marketing is so bad in Europe/Switzerland from Mcafee that all customer have bought other products which they scan storage anyway (Like Netapp customers).
Two things to this.
Never got a response on VSE ruleset supplied by McAfee to address. Systems with VSE are still wide spread in many environments and any device will continue to run VSE for Storage module as part of VSE until a replacement for VSE for Storage is made available.
Second, I am guessing this is a temporary rule to address this? Once patches are deployed it should be removed - I think. Does the rule that McAfee supplied stop the ability to load new print drivers?
I thought I responded to you on VSE.
Do an Access Protection rule. The process is spoolsv.exe. The subrule is FILE with WRITE/CREATE access. Put in the two McAfee provided paths in the Expert rule, but remove the \\ for a single \. That will cover it in VSE.
Yes, the McAfee rule stops you from adding printers.
I would like to thank Daveb3d for replying to all of our questions and providing some great information and solutions. Thanks, Daveb3d!