topic Re: Printernightmare CVE-2021-1675 in General Topics

Printernightmare CVE-2021-1675

Wolfgang — Thu, 01 Jul 2021 11:04:54 GMT

Any IPS protection available for CVE-2021-1675 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675 ?

Re: Printernightmare CVE-2021-1675

_Val_ — Thu, 01 Jul 2021 11:23:42 GMT

The attack vector is local, according to MS.

Re: Printernightmare CVE-2021-1675

Wolfgang — Thu, 01 Jul 2021 13:14:35 GMT

That's correct. But this is a problematic vulnerability on most of the Microsoft servers and if they are located in a separated protected LAN there should be a protection.

Re: Printernightmare CVE-2021-1675

_Val_ — Thu, 01 Jul 2021 13:28:10 GMT

Let me elaborate. To exploit it, you need to locally execute a file on that server. It is in the endpoint scope, not network.

Re: Printernightmare CVE-2021-1675

Fredrik_Soderlu — Thu, 01 Jul 2021 13:50:13 GMT

Hi,

I think the Print Nightmare nickname is for another bug than cve-2021-1675 and that has not an cve record yet and that is an RCE bug and the only workaround is to disable the print spooler.

Re: Printernightmare CVE-2021-1675

Wolfgang — Thu, 01 Jul 2021 14:47:50 GMT

looks like there are exploits out there https://www.youtube.com/watch?v=qU3vQ-B-FPY

Re: Printernightmare CVE-2021-1675

Benedikt_Weissl — Thu, 01 Jul 2021 14:58:18 GMT

A predefined Threat Hunting query would be cool, something thats checks all servers if the spooler service is running and the system is unpatched.

Re: Printernightmare CVE-2021-1675

HeikoAnkenbrand — Thu, 01 Jul 2021 16:11:09 GMT

Hi @Wolfgang,

I always use SNORT signatures/rules in these cases when there are no manufacturer signatures.

Most of the time you can extract some good ASCII signatures from the exploit code. Then you can create a SNORT signature and import it via the SmartConsole. This is not so easy most of the time but works quite well.

I always try to extract signatures from metasploit,... or other tools.

More information on how to import SNORT signatures can be found here:
https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_ThreatPrevention_AdminGuide/Topics-TPG/SNORT-Signature-Support.htm

But as @_Val_ said, in this case the attack vector is local so a Snort signature is useless.

Re: Printernightmare CVE-2021-1675

_Val_ — Fri, 02 Jul 2021 08:50:48 GMT

I have seen that. POC exploit there is deployed locally on the machine. IPS is not in play

Re: Printernightmare CVE-2021-1675

MikeB — Fri, 02 Jul 2021 15:16:48 GMT

Hi @_Val_, if this CVE is in endpoint scope, Check Point Harmony Endpoint should be able to detect and protect it, right?

Re: Printernightmare CVE-2021-1675

PhoneBoy — Sat, 03 Jul 2021 00:08:05 GMT

According to @Pasha_Pal, we're currently evaluating our protection capabilities for this exploit on the Endpoint (and also related CVE-2021-34527).
We'll share more details when available.

In the meantime, it is best to apply the Microsoft patches and disable the print spooler on Domain Controllers and any server not using printing.

Re: Printernightmare CVE-2021-1675

Yuri_Slobodyany — Sun, 04 Jul 2021 06:56:32 GMT

Not releasing an IPS signature is not an option - competitors already did so https://www.fortiguard.com/encyclopedia/ips/50553 🙂
I got asked by 2 large clients today already, and it is just Sunday 9+ in the morning.

Re: Printernightmare CVE-2021-1675

Pedro_Boavida — Sun, 04 Jul 2021 09:42:38 GMT

Indeed! Trend Micro already released mitigation measures on its network and endpoint IPS solutions as well...

Re: Printernightmare CVE-2021-1675

_Val_ — Mon, 05 Jul 2021 06:24:00 GMT

I see, @PhoneBoy beat me to that. In short, theoretically yes, but there is a question of detection, under investigation.

Re: Printernightmare CVE-2021-1675

MikeB — Tue, 06 Jul 2021 02:11:24 GMT

Just check, TH predefined queries were updated with 6 new "Real Word" queries regarding Printnightmare

Re: Printernightmare CVE-2021-1675

genisis__ — Tue, 06 Jul 2021 11:27:06 GMT

Is there actually a snort signature released for this?

I checked the current IPS database and Checkpoint have not added an signature for this yet, which is not good.

Re: Printernightmare CVE-2021-1675

Paul_Warnagiris — Wed, 07 Jul 2021 14:42:39 GMT

Is there any update to this?

Re: Printernightmare CVE-2021-1675

_Val_ — Thu, 08 Jul 2021 11:11:11 GMT

The PrintNightmare vulnerabilities (CVE-2021-1675 and CVE-2021-34527) are covered by TE and SBA with the following signatures:

TE:
- Exploit.Wins.PrintNightmare.A
SBA:
- HEUR:Trojan-Dropper.Win32.Pegazus.gen
- HEUR:Exploit.Win32.CVE-2021-1675.a
- PDM:Exploit.Win32.Generic
- PDM:Trojan.Win32.Generic

In regards to IPS, at present there is insufficient information to create an IPS protection. We re looking into this and will update once new info is available.

Re: Printernightmare CVE-2021-1675

Benedikt_Weissl — Fri, 09 Jul 2021 11:44:18 GMT

I just got the newsletter: The IPS Pattern has been released

Re: Printernightmare CVE-2021-1675

genisis__ — Fri, 09 Jul 2021 12:18:08 GMT

From what I can see a signature for CVE-2021-34527 was released today, however I could not see anything for CVE-2021-1675, can you confirm if the news letter indicates anything about 1675? or is this only referencing 34527?