Check Point Advisories

Microsoft Print Spooler Service Impersonation Code Execution (MS10-061; CVE-2010-2729)

Vulnerability
Protection

Check Point Reference:	CPAI-2010-264
Date Published:	14 Sep 2010
Severity:	High
Last Updated:	Thursday 01 August, 2013
Source:
Industry Reference:	CVE-2010-2729
Protection Provided by:	Security Gateway R81, R80, R77, R75, R71, R70
Who is Vulnerable?
Vulnerability Description	The Print Spooler service manages the printing process, which includes such tasks as retrieving the location of the correct printer driver, loading that driver, spooling high-level function calls into a print job, and scheduling print jobs. A remote code execution vulnerability has been reported in Microsoft Windows Print Spooler. The vulnerability is due to the Windows Print Spooler insufficiently restricting where a user has permissions to print to a file. A remote attacker could exploit this issue by sending a malicious print request to a vulnerable server. Successful exploitation of this vulnerability could allow the attacker to take complete control of an affected system.

Protection Overview

This protection will detect and block malformed RPC requests sent to the vulnerable service.

In order for the protection to be activated, update your Security Gateway product to the latest IPS update. For information on how to update IPS, go to SBP-2006-05, click on Protection tab and select the version of your choice.

Security Gateway R80 / R77 / R75 / R71 / R70

In the IPS tab, click Protections and find the Microsoft Print Spooler Service Impersonation Code Execution (MS10-061) protection using the Search tool and Edit the protection's settings.
Install policy on all Security Gateways.

This protection's log will contain the following information:

Attack Name: MS-RPC Enforcement Violation.
Attack Information: Microsoft Print Spooler service impersonation code execution (MS10-061)