Coverage for June 2021 CVE-2021-1675 and CVE-2021-34527 PrintNightmare vulnerabilities
Last Modified: 2023-02-22 22:51:10 Etc/GMT
Affected Products
Languages:
This article is available in the following languages:
Trellix CEO, Bryan Palma, explains the critical need for security that’s always learning.
As per Gartner, "XDR is an emerging technology that can offer improved threat prevention, detection and response."
Trellix announced the establishment of the Trellix Advanced Research Center to advance global threat intelligence.
Trellix Advanced Research Center analyzes threat data on ransomware, nation-states, sectors, vectors, LotL, MITRE ATT&CK techniques, and emails.
As of May 14, 2024, Knowledge Base (KB) articles will only be published and updated in our new Trellix Thrive Knowledge space.
Log in to the Thrive Portal using your OKTA credentials and start searching the new space. Legacy KB IDs are indexed and you will be able to find them easily just by typing the legacy KB ID.
Coverage for June 2021 CVE-2021-1675 and CVE-2021-34527 PrintNightmare vulnerabilities
Technical Articles ID:
KB94659
Last Modified: 2023-02-22 22:51:10 Etc/GMT Environment
Microsoft Windows operating systems
Summary
Recent updates to this article
IMPORTANT: As of July 6, 2021, Microsoft has released KB5005010, an out-of-band update to address CVE-2021-34257 Remote Code Execution. This update allows organizations to restrict Print Driver installation to Administrator groups exclusively. We recommend that customers apply this update as soon as possible. For more information, see the Microsoft update release article: KB5005010 - Restricting installation of new printer drivers after applying the July 6, 2021 updates. We’re aware of CVE-2021-1675, CVE-2021-34527, and related publicized "proof of concept" code, collectively known as "PrintNightmare." See the countermeasures below for your product. In addition, you can disable the print spooler as a mitigation effort. We recommend disabling the print spooler as a standard security practice when not in use on infrastructure systems to reduce risk in your environment. We're continuing to investigate product countermeasures and will update this article as we learn more. Subscribe to this article to receive updates pertaining to related threat coverage by our products. To receive email notification when this article is updated, click Subscribe on the right side of the page. You must be logged on to subscribe.
Workaround
Product: ENS
Product: MVISION EDR We've generated MVISION EDR rules 3.4.0.461 to detect behaviors of the exploitation of this vulnerability; they're available from the ePO Software Catalog. We recommend that you deploy this content package to MVISION EDR 3.4 endpoints, and it will become active on the endpoints at the next reboot. MVISION EDR rules 3.4.0.461 have already been deployed to MVISION ePO EDR endpoints. PrintNightmare Detections in EDR rules 3.4.0.461 will appear in EDR monitoring. Product: Network Security Platform Sigset version: 10.8.22.7 Attack ID: 0x43c0f400 Attack Name: NETBIOS-SS: Windows Print Spooler Service RCE Vulnerability AKA PrintNightmare (CVE-2021-34527) Released date: July 6, 2021. NOTE: This signature is unable to detect an exploit occurring over encrypted SMB traffic. This issue is applicable to SMBv3, where encryption is enabled by default. Product: VirusScan Enterprise (VSE) You can implement the following Access Protection (AP) rules to mitigate exploit behavior by preventing write access to the directories that the Print Spooler technique uses.
You can use the following rule to block NOTE: We recommend that you thoroughly test the rule to ensure integrity and make sure that there are no application conflicts. tag PrintNightmare_Custom_Rule Class Files Id 4001 level 4 attributes -v files { Include "*\\System32\\spool\\drivers\\*\\New\\&.dll" "*\\System32\\spool\\drivers\\*\\Old\\&\\&.dll" } Executable { Include { -path "*\\spoolsv.exe" } } user_name { Include "*" } directives files:create } For more information about implementing custom signatures in Host IPS, see the Host IPS Product Guide. Other Recommendations: To disable PrintSpooler through Group Policy Objects (GPOs) (Recommended for servers, except dedicated print servers): NOTE: Disabling the print spooler service disables the ability to print both locally and remotely.
Related InformationAffected ProductsLanguages:This article is available in the following languages: |
|