Jump to content

Recommended Posts

I'm trying to get some clarity on where we stand on deploying the Windows Updates that address CVE-2020-1472.

And in the case of Windows 10/Server 2016/Server 2019, we need to be able to account for when/if the appropriate August 2020 Updates were installed and not just the most recent ones.

I'm probably missing something in Automate that could readily help me account for -or demonstrate- this information.  (It looks to me like the Patch Manager is making an effort to deal with "supersedence", but that's for a separate thread.)

Currently, I'm in the middle of creating a simple table that defines the relationships between specific updates, monthly roll-ups, and superceded/superceding updates. (And I'll be glad to share it when done.) Then use that information while reviewing dataviews and reports.

Does anyone here have any scripts, SQL searches, reports, or guidance/advice they can share here which would help me (and I'm sure others) in dealing with evaluating and reporting for this?

----------
Microsoft Security Response Center
▪️ CVE-2020-1472 | Netlogon Elevation of Privilege Vulnerability

▪️ Release Notes: August 2020 Security Updates

How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472

----------
Keywords: CVE-2020-1472 Zerologon exploit Netlogon MS-NRPC server DC Domain Controller Windows Patch Manager

Link to post
Share on other sites

I dusted off my old WannaCry monitor and came up with this remote monitor.  It searches for known KBs installed on the system and will alert and create a ticket is known KBs are not installed.  Over time additional KBs will need to be added to the list, but for now I believe it is complete.

The Remote Monitor is using this command if you want to test it without importing the SQL:

"%windir%\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -command "& {$tpDebug=0;$MVer=1.0;$ProgressPreference='SilentlyContinue';IF (-not ($psversiontable.psversion -gt 1.9)) {'Error:POSH 2.0+ Required';exit};$tpvalue='4566116|4565349|4565351|4566782|4570333|4571694|457170[23]|4571719|457172[39]|4571736|4571748|4577015|45770[34]8|457705[13]|457706[269]|4577071|4574727';$Errs={}.Invoke();$Outs={}.Invoke();$KBLIST=@{};$KBResult=@();$i=0;$r=0;$h=0;$k=0;try {$WUSess=New-Object -ComObject 'Microsoft.Update.Session';$WUSearch=$WUSess.CreateUpdateSearcher();$FormatEnumerationLimit=-1;$WUHist=$WUSearch.GetTotalHistoryCount();if ($WUHist -gt 0) {$Outs.Add('Loading Windows Update History');$WUSearch.QueryHistory(0, $WUHist)|Select-Object Title,Date,Operation,Resultcode|Where-Object {$_.Operation -match '[12]' -and $_.Resultcode -match '[123]' -and $_.Date -gt '1/1/1980'}|Sort-Object Date,Title|ForEach-Object {$Title=$_.Title;$KBID=$($Title|Select-String 'KB\d{6,7}' -AllMatches|ForEach-Object{$_.matches}|ForEach-Object {$_.Value});IF($KBID) {switch($_.operation){1{$Outs.Add('Adding '+$KBID+': '+$Title);$i+=1;$KBLIST.Set_Item($KBID,$Title)};2{$Outs.Add('Removing '+$KBID);$r+=1;$KBLIST.Remove($KBID)}}}}} else {$Errs.Add('Windows Update History Unavailable')}} catch {$Errs.Add('Error retrieving Windows Update History')};try {$Outs.Add('Loading Get-Hotfix Reported Updates');Get-Hotfix|ForEach-Object {$KBID=$_.HotfixID;IF($KBID -match 'KB\d{6,7}') {$h+=1;if (-not $KBLIST.ContainsKey($KBID)) {$Outs.Add('Adding '+$KBID);$k+=1;$KBLIST.Set_Item($KBID,$KBID)} else {$Outs.Add($KBID+' already found')}}}} catch {$Errs.Add('Error retrieving Get-Hotfix results')};$Outs.Add('Filtering Updates');$KBLIST.GetEnumerator()|sort-object|Where-Object {($_.Value -match 'KB('+$tpvalue+')' -and $tpvalue.Length -gt 25)}|ForEach-Object {$Outs.Add('Successfully Matched '+$_.Name);$KBResult+=$_.Name};IF (-not $($tpvalue.Length -gt 25)) {$Errs.Add('Error - Template Property kbid_ms17_010 not found')};IF ($tpDebug -eq 1) {'Windows Update - '+$i+' installed, '+$r+' removed';'Get-Hotfix - '+$k+'/'+$h+' hotfixes added.';'Matched Updates: '+$KBResult.Count;$Outs.GetEnumerator()};IF ($KBResult) {'Secured - Detected Updates '+$($KBResult)|Out-String} else {'Vulnerable - No Matching KB Found.';$Errs.GetEnumerator()}}"

 

CVE-2020-1472 Zerologon Vulnerability Monitor.sql

  • Thanks 6
Link to post
Share on other sites

I created a monitor:

table: eventlogs
field: EventID
InSet
(5827,5828,5829,5830,5831)
ID field: Concat(eventlogs.`TimeGen`,': ', Replace(Replace(eventlogs.`message`,'\'', ''), '\n', '')) AS loggedEvent

add'l condition:
eventlogs.logname='system' and timegen > DATE_SUB(CURRENT_DATE(), INTERVAL 1 DAY)

We have found zero events so far.

From posts on the patchmanagement.org list, it seems that

  • past-EOL Windows 7 is only blocked if the default security settings have been lowered
  • Installing the patch is sufficient to block the attack from Windows computers
  • The concern would be other devices (e.g. NAS joined to the domain? Old Macs maybe?)

As for when a specific patch was installed, the Patch History tab will show that so it's presumably somewhere in the database.  However that gets pruned out eventually.  Windows itself tends to replace its own history for superseded patches, like when a new monthly CU installs.  Or, Win10 feature updates erase Windows' own history.

We have a search for missing KBs, but note it has issues such as different Win10 FUs tend to have different KB numbers, and this KB will be "missing" once the next monthly CU installs:

image.png.3a2f3b1d00d53afe34871e22772d458a.png

  • Thanks 1
Link to post
Share on other sites

I had to explode the SQL ( @DarrenWhite99 has so kindly shared with us) to help me better read/interpret it.

Here are the fields referenced in the SQL statement and I've marked certain ones using the key described at the bottom.  Help?

`AgentID`,
`GroupID`,⚠️
`SearchID`,⚠️
`Name`,
`CheckAction`,
`AlertAction`,⚠️
`AlertMessage`,
`ContactID`,
`interval`,
`Where`,
`What`,
`DataOut`,
`Comparor`,
`DataIn`,
`IDField`,
`AlertStyle`,
`ScriptID`,
`datacollector`,
`Category`,⚠️
`TicketCategory`,⚠️
`ScriptTarget`,
`GUID`

 

⚠️ = Check/Verify and Adjust as/if needed (I think)

= Uh...???

= Might want or need to change???

Link to post
Share on other sites

https://www.samba.org/samba/security/CVE-2020-1472.html

"...since version 4.8 (released in March 2018), the default behaviour of Samba has been to insist on a secure netlogon channel, which is a sufficient fix against the known exploits. This default is equivalent to having 'server schannel = yes' in the smb.conf.

Therefore versions 4.8 and above are not vulnerable unless they have the smb.conf lines 'server schannel = no' or 'server schannel = auto'.

Samba versions 4.7 and below are vulnerable unless they have 'server schannel = yes' in the smb.conf."

Link to post
Share on other sites
On 9/23/2020 at 4:18 AM, Jacobsa said:

Thanks Dad. Just a heads up, the imported SQL came in as this to me.. Automatically creating a ticket, and limited to SQL 2005 servers...

image.thumb.png.d134dedad1a2ff978803006157d2ba08.png
 

Thanks for this, it's exactly what we are looking to check!

Just want to make sure on the "Limit to" that should be changed to "Server Roles\Server Role - Domain Controllers" or should it be checked on all servers?

Link to post
Share on other sites

I confirmed the registry check (barring intentional manipulation of the registry) is a better indicator of an appropriate patch being installed than trying to test for specific installed updates. It even flagged systems I thought were patched but on Investigation found had not yet been restarted and thus the patch was installed but not effective. I did update my monitor to not include “in progress” patches so I got the same results, but since the registry check is quick and simple and accurate, I agree it’s the best way to monitor for vulnerable systems. 

  • Like 1
Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...