That's correct. But this is a problematic vulnerability on most of the Microsoft servers and if they are located in a separated protected LAN there should be a protection.

Let me elaborate. To exploit it, you need to locally execute a file on that server. It is in the endpoint scope, not network.

Hi,

I think the Print Nightmare nickname is for another bug than cve-2021-1675 and that has not an cve record yet and that is an RCE bug and the only workaround is to disable the print spooler.

looks like there are exploits out there https://www.youtube.com/watch?v=qU3vQ-B-FPY

Hi @Wolfgang,

I always use SNORT signatures/rules in these cases when there are no manufacturer signatures.

Most of the time you can extract some good ASCII signatures from the exploit code. Then you can create a SNORT signature and import it via the SmartConsole. This is not so easy most of the time but works quite well.

I always try to extract signatures from metasploit,... or other tools.

More information on how to import SNORT signatures can be found here:
https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_ThreatPrevention_AdminGuide/Topics...

But as @_Val_  said, in this case the attack vector is local so a Snort signature is useless.

Is there actually a snort signature released for this? 

I checked the current IPS database and Checkpoint have not added an signature for this yet, which is not good.

I have seen that. POC exploit there is deployed locally on the machine. IPS is not in play

Hi @_Val_, if this CVE is in endpoint scope, Check Point Harmony Endpoint should be able to detect and protect it, right?

According to @Pasha_Pal, we're currently evaluating our protection capabilities for this exploit on the Endpoint (and also related CVE-2021-34527).
We'll share more details when available.

In the meantime, it is best to apply the Microsoft patches and disable the print spooler on Domain Controllers and any server not using printing.

Is there any update to this?

is there any IPS signature update on 1500 series regarding CVE-2021-34527? I can see this IPS protection on 910 but not in any 1500 fw.

Same signatures should be available on both.

I see, @PhoneBoy beat me to that. In short, theoretically yes, but there is a question of detection, under investigation. 

Not releasing an IPS signature is not an option - competitors already did so https://www.fortiguard.com/encyclopedia/ips/50553 🙂
I got asked by 2 large clients today already, and it is just Sunday 9+ in the morning.

Indeed! Trend Micro already released mitigation measures on its network and endpoint IPS solutions as well...

I just got the newsletter: The IPS Pattern has been released

From what I can see a signature for CVE-2021-34527 was released today, however I could not see anything for CVE-2021-1675, can you confirm if the news letter indicates anything about 1675? or is this only referencing 34527?

Can you please share here?

https://www.checkpoint.com/defense/advisories/public/2021/CPAI-2021-0465.html

Just check, TH predefined queries were updated with 6 new "Real Word" queries regarding Printnightmare