Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

SECURITY ALERT: Solutions and Protections against PrinterNightmare (CVE-2021-1675 and CVE-2021-34527)

    • Updated:
    • 23 Jul 2021
    • Product/Version:
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Cloud One - Workload Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Vulnerability Protection
    • Platform:
Summary
July 23, 2021 UpdateVision One Information Added

In the June 2021 Microsoft security patch release, included was a patch for CVE-2021-1675, a Windows print spooler vulnerability.  Additional information was released about this vulnerability, including the fact that there it could be remotely exploited, and has been dubbed "PrinterNightmare" by various outlets.

On July 1st, Microsoft also announced CVE-2021-34527, a second Windows print spooler remote code execution (RCE) vulnerability. CVE-2021-34527 is currently marked as being actively exploited on the Microsoft site.

On July 7th, Microsoft announced a critical out-of-band (OOB) patch to address the RCE vulnerability.  On July 8th, additional platforms not previously covered were also added.
Details
Public

Mitigation and Protection


First and foremost, the first line of protection against this vulnerability is to ensure that all affected systems are patched with Microsoft's latest security updates and mitigation strategies from the vendor.  This continues to be the primary recommendation for protection against any exploit that that may arise from these vulnerabilities.
 

Trend Micro Protection


To assist customers, Trend Micro has created and released some additional layers of protection in the form of rules and filters that may help organizations strengthen their overall security posture, especially in situations where comprehensive patching may take time or is not feasible.

IPS Rules

Deep Security and Cloud One - Workload Security, Vulnerability Protection, Apex One Vulnerability Protection (iVP) and Worry-Free Business Security Services Rules
  • Rule 1011016 - Identified DCERPC AddPrinterDriverEx Call Over TCP Protocol
  • Rule 1011018 - Identified DCERPC AddPrinterDriverEx Call Over SMB Protocol
Please note that due to the nature of the vulnerability, a valid Windows function/call (AddPrinterDriverEx), these Intrusion Prevention Rules are set to DETECT by default. This is to minimize potential false positives to the IT environment. Trend Micro recommends IT managers review and test these rules in their own IT environment and change to PREVENT (if applicable on their solution) .

Trend Micro Cloud One – Network Security and TippingPoint ThreatDV Malware Detection Filters
  • 39940: RPC: Microsoft Windows AddPrinterDriverEx Request Detected

Trend Micro Deep Discovery Inspector (DDI) Rules
  • Rule 4588: CVE-2021-34527_SMB_POSSIBLE_RCE_REQUEST_SB
  • Rule 4589: CVE-2021-34527_DCE_POSSIBLE_RCE_REQUEST_SB

Other Inspection / Detection Rules

Deep Security Log Inspection
  • Rule 1011017 - Microsoft Windows - Print Spooler Failed Loading Plugin Module (PrintNightmare)

Trend Micro is continuing to aggressively look into other forms of detection and protection to assist our customers, but we do want to continue to reiterate that the primary recommendation is to apply the official Microsoft patches as soon as possible. We will continue to update this article and our customers if/when additional layers of protection are found.
 

Using Trend Micro Products for Invesitgation


The following highlights several post-exploitation detections that can be used by customers to investigate and help with potential remediation in a customer’s environment.

Trend Micro Vision One™

Trend Micro Vision One customers benefit from XDR detection capabilities of the underlying products such as Apex One. In addition, depending on their data collection time range, Trend Micro Vision One customers may be able to sweep for IOCs retrospectively to identify if there was potential activity in this range to help in investigation.

Using Detection Models

Trend Micro Vision One triggers alerts based on matched detection models and sends the alerts to Workbench.

The detection models, which generate the alert triggers, combine multiple rules and filters using a variety of analysis techniques including data stacking and machine learning. Moreover, Trend Micro regularly refines and adds detection models and filters to improve threat detection capabilities and reduce false positive alerts.

image.png


Zero Trust Risk Insights (pre-release feature)

The Zero Trust Risk Insights app allows you to quickly assess the cloud access activities and vulnerabilities related to users and devices and determine how to mitigate the risks found in your network.

image.png

image.png
 

References

Premium
Internal
Partner
Rating:
Category:
Update
Solution Id:
000286888
Feedback
Did this article help you?

Thank you for your feedback!


*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.