Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Wolfgang
Leader
Leader

Printernightmare CVE-2021-1675

Jump to solution

Any IPS protection available for CVE-2021-1675 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675 ?

 

(1)
1 Solution

Accepted Solutions
_Val_
Admin
Admin

The PrintNightmare vulnerabilities (CVE-2021-1675 and CVE-2021-34527) are covered by TE and SBA with the following signatures:

  • TE:
    • Exploit.Wins.PrintNightmare.A
  • SBA:
    • HEUR:Trojan-Dropper.Win32.Pegazus.gen
    • HEUR:Exploit.Win32.CVE-2021-1675.a
    • PDM:Exploit.Win32.Generic
    • PDM:Trojan.Win32.Generic

In regards to IPS, at present there is insufficient information to create an IPS protection. We re looking into this  and will update once new info is available.

View solution in original post

23 Replies
_Val_
Admin
Admin

The attack vector is local, according to MS. 

0 Kudos
Wolfgang
Leader
Leader

That's correct. But this is a problematic vulnerability on most of the Microsoft servers and if they are located in a separated protected LAN there should be a protection.

0 Kudos
_Val_
Admin
Admin

Let me elaborate. To exploit it, you need to locally execute a file on that server. It is in the endpoint scope, not network.

0 Kudos
Fredrik_Soderlu
Explorer

Hi,

I think the Print Nightmare nickname is for another bug than cve-2021-1675 and that has not an cve record yet and that is an RCE bug and the only workaround is to disable the print spooler.

 

0 Kudos
Wolfgang
Leader
Leader

looks like there are exploits out there https://www.youtube.com/watch?v=qU3vQ-B-FPY

 

0 Kudos
HeikoAnkenbrand
Champion
Champion

Hi @Wolfgang,

I always use SNORT signatures/rules in these cases when there are no manufacturer signatures.

Most of the time you can extract some good ASCII signatures from the exploit code. Then you can create a SNORT signature and import it via the SmartConsole. This is not so easy most of the time but works quite well.

I always try to extract signatures from metasploit,... or other tools.

More information on how to import SNORT signatures can be found here:
https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_ThreatPrevention_AdminGuide/Topics...

But as @_Val_  said, in this case the attack vector is local so a Snort signature is useless.

0 Kudos
genisis__
Advisor

Is there actually a snort signature released for this? 

I checked the current IPS database and Checkpoint have not added an signature for this yet, which is not good.

 

0 Kudos
_Val_
Admin
Admin

I have seen that. POC exploit there is deployed locally on the machine. IPS is not in play

0 Kudos
MikeB
Advisor

Hi @_Val_, if this CVE is in endpoint scope, Check Point Harmony Endpoint should be able to detect and protect it, right?

0 Kudos
PhoneBoy
Admin
Admin

According to @Pasha_Pal, we're currently evaluating our protection capabilities for this exploit on the Endpoint (and also related CVE-2021-34527).
We'll share more details when available.

In the meantime, it is best to apply the Microsoft patches and disable the print spooler on Domain Controllers and any server not using printing.

Paul_Warnagiris
Collaborator

Is there any update to this?

0 Kudos
_Val_
Admin
Admin

The PrintNightmare vulnerabilities (CVE-2021-1675 and CVE-2021-34527) are covered by TE and SBA with the following signatures:

  • TE:
    • Exploit.Wins.PrintNightmare.A
  • SBA:
    • HEUR:Trojan-Dropper.Win32.Pegazus.gen
    • HEUR:Exploit.Win32.CVE-2021-1675.a
    • PDM:Exploit.Win32.Generic
    • PDM:Trojan.Win32.Generic

In regards to IPS, at present there is insufficient information to create an IPS protection. We re looking into this  and will update once new info is available.

View solution in original post

paulossa
Explorer

is there any IPS signature update on 1500 series regarding CVE-2021-34527? I can see this IPS protection on 910 but not in any 1500 fw.

0 Kudos
_Val_
Admin
Admin

Same signatures should be available on both.

0 Kudos
_Val_
Admin
Admin

I see, @PhoneBoy beat me to that. In short, theoretically yes, but there is a question of detection, under investigation. 

Yuri_Slobodyany
Collaborator

Not releasing an IPS signature is not an option - competitors already did so https://www.fortiguard.com/encyclopedia/ips/50553 🙂
I got asked by 2 large clients today already, and it is just Sunday 9+ in the morning.

 

 

0 Kudos
Pedro_Boavida
Contributor

Indeed! Trend Micro already released mitigation measures on its network and endpoint IPS solutions as well...

 

 

0 Kudos
Benedikt_Weissl
Advisor

I just got the newsletter: The IPS Pattern has been released

0 Kudos
genisis__
Advisor

From what I can see a signature for CVE-2021-34527 was released today, however I could not see anything for CVE-2021-1675, can you confirm if the news letter indicates anything about 1675? or is this only referencing 34527?

0 Kudos
ncoco
Employee Alumnus
Employee Alumnus

Can you please share here?

0 Kudos
MikeB
Advisor
0 Kudos
Benedikt_Weissl
Advisor

A predefined Threat Hunting query would be cool, something thats checks all servers if the spooler service is running and the system is unpatched.

0 Kudos
MikeB
Advisor

Just check, TH predefined queries were updated with 6 new "Real Word" queries regarding Printnightmare 

image.png