概要
2021年6月,微軟針對Windows作業系統發布了「列印多工緩衝處理器」的一項弱點(CVE-2021-1675)與安全性更新,於此同時,微軟也釋放出了更多關於此弱點的訊息,其中包括它可能被利用來進行遠端攻擊等。而利用此漏洞進行攻擊的手法也因此被稱為「PrinterNightmare」攻擊。 而數日前 (2021/7/1 ),微軟還公佈了關於Windows 「列印多工緩衝處理器」的第二個遠端執行代碼漏洞,”CVE-2021-34527”,此弱點在於Microsoft網站上目前也被列為「正被積極利用中的弱點」之一。
詳情
緩解要素與防護建議:
針對以上漏洞的第一道保護機制仍是確保受影響的作業系統皆安裝Microsoft最新的安全性更新。但全面性的安全性修補可能需要花費一些時間,為了盡快為客戶提供防護,趨勢科技以Deep Security的IPS防禦技術、檔案一致性監控(Integrity Monitoring) 和Tipping Point DV過濾器等功能發布了一系列的防護規則,可有效協助用戶增強用戶環境的整體安全。
防護規則:
IPS RulesDeep Security and Cloud One - Workload Security, Vulnerability Protection and Apex One Vulnerability Protection (iVP) Integrity Montoring (IM) Rules
- Rule 1011016 - Identified DCERPC AddPrinterDriverEx Call Over TCP Protocol
- Rule 1011018 - Identified DCERPC AddPrinterDriverEx Call Over SMB Protocol
Trend Micro Cloud One – Network Security and TippingPoint ThreatDV Malware Detection Filters
- 39940: RPC: Microsoft Windows AddPrinterDriverEx Request Detected
其他 Inspection / Detection Rules
Deep Security Log Inspection
- Rule 1011017 - Microsoft Windows - Print Spooler Failed Loading Plugin Module (PrintNightmare)
Trend Micro Deep Discovery Inspector (DDI) Rules
- Rule 4588: CVE-2021-34527_SMB_POSSIBLE_RCE_REQUEST_SB
- Rule 4589: CVE-2021-34527_DCE_POSSIBLE_RCE_REQUEST_SB
Trend Micro is continuing to aggressively look into other forms of detection and protection to assist our customers, but we do want to continue to reiterate that the primary recommendation is to apply the official Microsoft patches as soon as possible. We will continue to update this article and our customers if/when additional layers of protection are found.
參考:
- Microsoft Advisory (CVE-2021-1675) - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675
- Microsoft Advisory (CVE-2021-34527) - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527
