In the June 2021 Microsoft security patch release, included was a patch for CVE-2021-1675, a Windows print spooler vulnerability. Additional information was released about this vulnerability, including the fact that there it could be remotely exploited, and has been dubbed "PrinterNightmare" by various outlets.
On July 1st, Microsoft also announced CVE-2021-34527, a second Windows print spooler remote code execution (RCE) vulnerability. CVE-2021-34527 is currently marked as being actively exploited on the Microsoft site.
On July 7th, Microsoft announced a critical out-of-band (OOB) patch to address the RCE vulnerability. On July 8th, additional platforms not previously covered were also added.
Mitigation and Protection
First and foremost, the first line of protection against this vulnerability is to ensure that all affected systems are patched with Microsoft's latest security updates and mitigation strategies from the vendor. This continues to be the primary recommendation for protection against any exploit that that may arise from these vulnerabilities.
Trend Micro Protection
To assist customers, Trend Micro has created and released some additional layers of protection in the form of rules and filters that may help organizations strengthen their overall security posture, especially in situations where comprehensive patching may take time or is not feasible.
Deep Security and Cloud One - Workload Security, Vulnerability Protection, Apex One Vulnerability Protection (iVP) and Worry-Free Business Security Services Rules
- Rule 1011016 - Identified DCERPC AddPrinterDriverEx Call Over TCP Protocol
- Rule 1011018 - Identified DCERPC AddPrinterDriverEx Call Over SMB Protocol
Trend Micro Cloud One – Network Security and TippingPoint ThreatDV Malware Detection Filters
- 39940: RPC: Microsoft Windows AddPrinterDriverEx Request Detected
Trend Micro Deep Discovery Inspector (DDI) Rules
- Rule 4588: CVE-2021-34527_SMB_POSSIBLE_RCE_REQUEST_SB
- Rule 4589: CVE-2021-34527_DCE_POSSIBLE_RCE_REQUEST_SB
Other Inspection / Detection Rules
Deep Security Log Inspection
- Rule 1011017 - Microsoft Windows - Print Spooler Failed Loading Plugin Module (PrintNightmare)
Trend Micro is continuing to aggressively look into other forms of detection and protection to assist our customers, but we do want to continue to reiterate that the primary recommendation is to apply the official Microsoft patches as soon as possible. We will continue to update this article and our customers if/when additional layers of protection are found.
Using Trend Micro Products for Invesitgation
The following highlights several post-exploitation detections that can be used by customers to investigate and help with potential remediation in a customer’s environment.
Trend Micro Vision One™
Trend Micro Vision One customers benefit from XDR detection capabilities of the underlying products such as Apex One. In addition, depending on their data collection time range, Trend Micro Vision One customers may be able to sweep for IOCs retrospectively to identify if there was potential activity in this range to help in investigation.
Using Detection Models
Trend Micro Vision One triggers alerts based on matched detection models and sends the alerts to Workbench.
The detection models, which generate the alert triggers, combine multiple rules and filters using a variety of analysis techniques including data stacking and machine learning. Moreover, Trend Micro regularly refines and adds detection models and filters to improve threat detection capabilities and reduce false positive alerts.
Zero Trust Risk Insights (pre-release feature)
The Zero Trust Risk Insights app allows you to quickly assess the cloud access activities and vulnerabilities related to users and devices and determine how to mitigate the risks found in your network.
- Microsoft Advisory (CVE-2021-1675) - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675
- Microsoft Advisory (CVE-2021-34527) - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527