This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Wolfgang
Authority
Authority
‎2021-07-01 04:04 AM
Jump to solution

Printernightmare CVE-2021-1675

Any IPS protection available for CVE-2021-1675 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675 ?

 

(1)
1 Solution

Accepted Solutions
_Val_
Admin
Admin
‎2021-07-08 02:53 AM
In response to Paul_Warnagiris
Jump to solution

The PrintNightmare vulnerabilities (CVE-2021-1675 and CVE-2021-34527) are covered by TE and SBA with the following signatures:

  • TE:
    • Exploit.Wins.PrintNightmare.A
  • SBA:
    • HEUR:Trojan-Dropper.Win32.Pegazus.gen
    • HEUR:Exploit.Win32.CVE-2021-1675.a
    • PDM:Exploit.Win32.Generic
    • PDM:Trojan.Win32.Generic

In regards to IPS, at present there is insufficient information to create an IPS protection. We re looking into this  and will update once new info is available.

View solution in original post

23 Replies
_Val_
Admin
Admin
‎2021-07-01 04:23 AM
Jump to solution

The attack vector is local, according to MS. 

0 Kudos
Wolfgang
Authority
Authority
‎2021-07-01 06:14 AM
In response to _Val_
Jump to solution

That's correct. But this is a problematic vulnerability on most of the Microsoft servers and if they are located in a separated protected LAN there should be a protection.

0 Kudos
_Val_
Admin
Admin
‎2021-07-01 06:28 AM
In response to Wolfgang
Jump to solution

Let me elaborate. To exploit it, you need to locally execute a file on that server. It is in the endpoint scope, not network.

0 Kudos
Fredrik_Soderlu
Explorer
‎2021-07-01 06:50 AM
In response to _Val_
Jump to solution

Hi,

I think the Print Nightmare nickname is for another bug than cve-2021-1675 and that has not an cve record yet and that is an RCE bug and the only workaround is to disable the print spooler.

 

0 Kudos
Wolfgang
Authority
Authority
‎2021-07-01 07:47 AM
In response to _Val_
Jump to solution

looks like there are exploits out there https://www.youtube.com/watch?v=qU3vQ-B-FPY

 

0 Kudos
HeikoAnkenbrand
Champion Champion
Champion
‎2021-07-01 09:01 AM
In response to Wolfgang
Jump to solution

Hi @Wolfgang,

I always use SNORT signatures/rules in these cases when there are no manufacturer signatures.

Most of the time you can extract some good ASCII signatures from the exploit code. Then you can create a SNORT signature and import it via the SmartConsole. This is not so easy most of the time but works quite well.

I always try to extract signatures from metasploit,... or other tools.

More information on how to import SNORT signatures can be found here:
https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_ThreatPrevention_AdminGuide/Topics...

But as @_Val_  said, in this case the attack vector is local so a Snort signature is useless.

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos
genisis__
Mentor Mentor
Mentor
‎2021-07-06 01:42 AM
In response to HeikoAnkenbrand
Jump to solution

Is there actually a snort signature released for this? 

I checked the current IPS database and Checkpoint have not added an signature for this yet, which is not good.

 

0 Kudos
_Val_
Admin
Admin
‎2021-07-02 01:50 AM
In response to Wolfgang
Jump to solution

I have seen that. POC exploit there is deployed locally on the machine. IPS is not in play

0 Kudos
MikeB
Advisor
‎2021-07-02 08:16 AM
In response to _Val_
Jump to solution

Hi @_Val_, if this CVE is in endpoint scope, Check Point Harmony Endpoint should be able to detect and protect it, right?

0 Kudos
PhoneBoy
Admin
Admin
‎2021-07-02 05:08 PM
In response to MikeB
Jump to solution

According to @Pasha_Pal, we're currently evaluating our protection capabilities for this exploit on the Endpoint (and also related CVE-2021-34527).
We'll share more details when available.

In the meantime, it is best to apply the Microsoft patches and disable the print spooler on Domain Controllers and any server not using printing.

Paul_Warnagiris
Advisor
‎2021-07-07 07:42 AM
In response to PhoneBoy
Jump to solution

Is there any update to this?

0 Kudos
_Val_
Admin
Admin
‎2021-07-08 02:53 AM
In response to Paul_Warnagiris
Jump to solution

The PrintNightmare vulnerabilities (CVE-2021-1675 and CVE-2021-34527) are covered by TE and SBA with the following signatures:

  • TE:
    • Exploit.Wins.PrintNightmare.A
  • SBA:
    • HEUR:Trojan-Dropper.Win32.Pegazus.gen
    • HEUR:Exploit.Win32.CVE-2021-1675.a
    • PDM:Exploit.Win32.Generic
    • PDM:Trojan.Win32.Generic

In regards to IPS, at present there is insufficient information to create an IPS protection. We re looking into this  and will update once new info is available.

paulossa
Explorer
‎2021-07-21 06:02 AM
In response to _Val_
Jump to solution

is there any IPS signature update on 1500 series regarding CVE-2021-34527? I can see this IPS protection on 910 but not in any 1500 fw.

0 Kudos
_Val_
Admin
Admin
‎2021-07-21 06:08 AM
In response to paulossa
Jump to solution

Same signatures should be available on both.

0 Kudos
_Val_
Admin
Admin
‎2021-07-04 11:24 PM
In response to MikeB
Jump to solution

I see, @PhoneBoy beat me to that. In short, theoretically yes, but there is a question of detection, under investigation. 

Yuri_Slobodyany
Collaborator
‎2021-07-03 11:56 PM
In response to _Val_
Jump to solution

Not releasing an IPS signature is not an option - competitors already did so https://www.fortiguard.com/encyclopedia/ips/50553 🙂
I got asked by 2 large clients today already, and it is just Sunday 9+ in the morning.

 

 

https://www.linkedin.com/in/yurislobodyanyuk/
0 Kudos
Pedro_Boavida
Contributor
Contributor
‎2021-07-04 02:41 AM
In response to Yuri_Slobodyany
Jump to solution

Indeed! Trend Micro already released mitigation measures on its network and endpoint IPS solutions as well...

 

 

0 Kudos
Benedikt_Weissl
Advisor
‎2021-07-09 04:44 AM
In response to Pedro_Boavida
Jump to solution

I just got the newsletter: The IPS Pattern has been released

0 Kudos
genisis__
Mentor Mentor
Mentor
‎2021-07-09 05:18 AM
In response to Benedikt_Weissl
Jump to solution

From what I can see a signature for CVE-2021-34527 was released today, however I could not see anything for CVE-2021-1675, can you confirm if the news letter indicates anything about 1675? or is this only referencing 34527?

0 Kudos
ncoco
Employee Alumnus
Employee Alumnus
‎2021-07-09 06:30 AM
In response to Benedikt_Weissl
Jump to solution

Can you please share here?

0 Kudos
MikeB
Advisor
‎2021-07-09 06:38 AM
In response to ncoco
Jump to solution

https://www.checkpoint.com/defense/advisories/public/2021/CPAI-2021-0465.html

0 Kudos
Benedikt_Weissl
Advisor
‎2021-07-01 07:58 AM
Jump to solution

A predefined Threat Hunting query would be cool, something thats checks all servers if the spooler service is running and the system is unpatched.

0 Kudos
MikeB
Advisor
‎2021-07-05 07:11 PM
In response to Benedikt_Weissl
Jump to solution

Just check, TH predefined queries were updated with 6 new "Real Word" queries regarding Printnightmare 

image.png

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events