Notification

Icon
Error

BlueKeep Vulnerability

Posted: Tuesday, June 18, 2019 12:54:13 PM(UTC)
Charles.X

Esben.D

Member Administration Original PosterPosts: 1,933
2
Like
Due to this topic getting more attention, I've taken the report Hendrik so kindly posted in the May Patch Tuesday topic to make it easier to find assets that might need patching.

This report gives a complete color-coded overview of all systems vulnerable to the RDS vulnerability (CVE-2019-0708). When the security hotfix is installed OR the Remote Desktop Service is stopped, the affected system is marked as 'not vulnerable'.

This report focusses on Windows XP and 2003, Windows 7 and Windows server 2008 and 2008 R2 as indicated by Microsoft's CVE-2019-0708 advisory

Update: Patches from the June Patch Tuesday have been added to the report.

Code:
Select Distinct Top 1000000 Coalesce(tsysOS.Image,
  tsysAssetTypes.AssetTypeIcon10) As icon,
  tblAssets.AssetID,
  tblAssets.AssetName,
  tblAssets.Domain,
  tblState.Statename As State,
  Case tblAssets.AssetID
    When SubQuery1.AssetID Then 'Yes'
    Else 'No'
  End As [CVE-2019-0708 Patched],
  tblServiceState.State As [RDP Service Status],
  Case
    When tblAssets.AssetID = SubQuery1.AssetID Then 'No'
    When tblServiceState.State Like 'Stopped' Then 'No'
    Else 'Yes'
  End As Vulnerable,
  Case
    When tblAssets.AssetID = SubQuery1.AssetID Then ''
    Else Case
        When tsysOS.OSname Like '%XP%' Or
          tsysOS.OSname Like '%2003%' Then 'Install KB4500331'
        When tsysOS.OSname = 'Win 2008' Then 'Install KB4499149,KB4499180, KB4503273 or KB4503287'
        When tsysOS.OSname = 'Win 7' Or tsysOS.OSname = 'Win 7 RC' Or
          tsysOS.OSname = 'Win 2008 R2' Then 'Install KB4499164, KB4499175, KB4503292 or KB4503269'
      End
  End As [Install one of these updates],
  tsysOS.OSname As OS,
  tblAssets.SP,
  Case
    When tblComputersystem.Domainrole > 1 Then 'Server'
    Else 'Workstation'
  End As [Workstation/Server],
  tsysIPLocations.IPLocation,
  tblAssetCustom.Manufacturer,
  tblAssetCustom.Model,
  tblAssets.Lastseen,
  Convert(nvarchar,DateDiff(day, QuickFixLastScanned.QuickFixLastScanned,
  GetDate())) + ' days ago' As WindowsUpdateInfoLastScanned,
  Case
    When Convert(nvarchar,DateDiff(day, QuickFixLastScanned.QuickFixLastScanned,
      GetDate())) > 7 Then
      'Windows update information may not be up to date. We recommend rescanning this machine.'
    Else ''
  End As Comment,
  Case
    When tblAssets.AssetID = SubQuery1.AssetID Then '#d4f4be'
    When tblServiceState.State Like 'Stopped' Then '#d4f4be'
    Else '#ffadad'
  End As backgroundcolor
From tblAssets
  Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
  Left Join tsysOS On tsysOS.OScode = tblAssets.OScode
  Left Join (Select Top 1000000 tblQuickFixEngineering.AssetID
      From tblQuickFixEngineering
        Inner Join tblQuickFixEngineeringUni On tblQuickFixEngineeringUni.QFEID
          = tblQuickFixEngineering.QFEID
      Where tblQuickFixEngineeringUni.HotFixID In ('KB4499149', 'KB4499180',
        'KB4499164', 'KB4499175', 'KB4500331','KB4503273','KB4503287','KB4503292','KB4503269')) As SubQuery1 On
    tblAssets.AssetID = SubQuery1.AssetID
  Inner Join tsysAssetTypes On tsysAssetTypes.AssetType = tblAssets.Assettype
  Inner Join tblOperatingsystem On tblOperatingsystem.AssetID =
    tblAssets.AssetID
  Left Join tsysIPLocations On tblAssets.IPNumeric >= tsysIPLocations.StartIP
    And tblAssets.IPNumeric <= tsysIPLocations.EndIP
  Inner Join tblState On tblState.State = tblAssetCustom.State
  Left Join (Select Distinct Top 1000000 tblAssets.AssetID As ID,
        TsysLastscan.Lasttime As QuickFixLastScanned
      From TsysWaittime
        Inner Join TsysLastscan On TsysWaittime.CFGCode = TsysLastscan.CFGcode
        Inner Join tblAssets On tblAssets.AssetID = TsysLastscan.AssetID
      Where TsysWaittime.CFGname = 'QUICKFIX') As QuickFixLastScanned On
    tblAssets.AssetID = QuickFixLastScanned.ID
  Left Join (Select Distinct Top 1000000 tblAssets.AssetID As ID,
        Max(tblErrors.Teller) As ErrorID
      From tblErrors
        Inner Join tblAssets On tblAssets.AssetID = tblErrors.AssetID
      Group By tblAssets.AssetID) As ScanningError On tblAssets.AssetID =
    ScanningError.ID
  Left Join tblErrors On ScanningError.ErrorID = tblErrors.Teller
  Left Join tsysasseterrortypes On tsysasseterrortypes.Errortype =
    tblErrors.ErrorType
  Inner Join tblComputersystem On tblAssets.AssetID = tblComputersystem.AssetID
  Inner Join tblServices On tblAssets.AssetID = tblServices.AssetID
  Inner Join tblServicesUni On tblServicesUni.ServiceuniqueID =
    tblServices.ServiceuniqueID
  Inner Join tblServiceState On tblServiceState.StateID = tblServices.StateID
Where tblAssets.AssetID Not In (Select Top 1000000 tblAssets.AssetID
      From tblAssets Inner Join tsysOS On tsysOS.OScode = tblAssets.OScode
      Where tsysOS.OSname Like 'Win 7%' And tblAssets.SP = 0) And
  tsysOS.OSname Not Like '%2000%' And tsysOS.OSname Not Like '%2016%' And
  tsysOS.OSname Not Like '%win 10%' And tsysOS.OSname Not Like '%2012%' And
  tsysOS.OSname Not Like '%8.1%' And
  tsysOS.OSname Not Like '%2019%' And tblServicesUni.Name Like '%TermService%'
  And tsysAssetTypes.AssetTypename Like 'Windows%' And tblAssetCustom.State = 1
Order By tblAssets.Domain,
  tblAssets.AssetName
heybobby1
#1heybobby1 Member Posts: 40  
posted: 6/18/2019 5:21:58 PM(UTC)
Thanks very much for this Hendrik. I adapted it for our needs to also include NLA status and RDP connection allowed status. Need to add reg values for this.

Edited to add June monthly patches.

Code:
Select Distinct Top 1000000 Coalesce(tsysOS.Image,
  tsysAssetTypes.AssetTypeIcon10) As icon,
  tblAssets.AssetID,
  tblAssets.AssetName,
  tblAssets.Domain,
  tsysOS.OSname As OS,
  Case
    When tblComputersystem.Domainrole > 1 Then 'Server'
    Else 'Workstation'
  End As [Workstation/Server],
  Case
    When RDPConnectionState.Value = '0' Then 'Yes'
    When RDPConnectionState.Value = '1' Then 'No'
    Else 'Rescan needed'
  End As [RDPConnectionAllowed (Yes/No)],
  Case tblAssets.AssetID
    When PatchState.AssetID Then 'Yes'
    Else 'No'
  End As [Patched (Yes/No)],
  Case
    When NLAState.Value = '1' Then 'On'
    When NLAState.Value = '0' Then 'Off'
    Else 'Rescan needed'
  End As [NLA (On/Off)],
  tblServiceState.State As RDPServiceStatus,
  Case
    When tblAssets.AssetID = PatchState.AssetID Then 'No'
    When NLAState.Value = '1' Then 'Partially mitigated'
    Else Case
        When RDPConnectionState.Value = '0' Then 'Yes'
        When RDPConnectionState.Value = '1' Then 'No'
        Else 'Rescan needed'
      End
  End As [Vulnerable (Yes/No/Partially mitigated)],
  Case
    When RDPConnectionState.Value = '' Then ''
    When RDPConnectionState.Value = '1' Then ''
    When tblAssets.AssetID = PatchState.AssetID Then ''
    Else Case
        When tsysOS.OSname Like '%XP%' Or
          tsysOS.OSname Like '%2003%' Then 'Install KB4500331'
        When tsysOS.OSname = 'Win 2008' Then 'Install KB4503273 or KB4499180'
        When tsysOS.OSname = 'Win 7' Or tsysOS.OSname = 'Win 7 RC' Or
          tsysOS.OSname = 'Win 2008 R2' Then 'Install KB4503292 or KB4499175'
      End
  End As ActionRequired,
  Convert(nvarchar,DateDiff(day, QuickFixLastScanned.QuickFixLastScanned,
  GetDate())) + ' days ago' As WindowsUpdateInfoLastScanned,
  Case
    When Convert(nvarchar,DateDiff(day, QuickFixLastScanned.QuickFixLastScanned,
      GetDate())) > 7 Then 'Windows update information may not be up to date.'
    Else ''
  End As Comment,
  Case
    When tblAssets.AssetID = PatchState.AssetID Then '#d4f4be'
    When RDPConnectionState.Value = '1' Then '#d4f4be'
    When NLAState.Value = '1' Then '#fada5e'
    Else '#ffadad'
  End As backgroundcolor,
  tblAssetCustom.Custom1 As Office,
  tblAssetCustom.Custom2 As Country,
  tblAssets.Lastseen,
  tblAssetCustom.Custom3 As [User],
  tblAssets.Username As Lastuser,
  tblState.Statename As State
From tblAssets
  Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
  Left Join tsysOS On tsysOS.OScode = tblAssets.OScode
  Left Join (Select Top 1000000 tblQuickFixEngineering.AssetID
      From tblQuickFixEngineering
        Inner Join tblQuickFixEngineeringUni On tblQuickFixEngineeringUni.QFEID
          = tblQuickFixEngineering.QFEID
      Where tblQuickFixEngineeringUni.HotFixID In ('KB4503273', 'KB4499149',
        'KB4499180', 'KB4503292', 'KB4499164', 'KB4499175', 'KB4500331')) As
  PatchState On tblAssets.AssetID = PatchState.AssetID
  Inner Join tsysAssetTypes On tsysAssetTypes.AssetType = tblAssets.Assettype
  Inner Join tblOperatingsystem On tblOperatingsystem.AssetID =
    tblAssets.AssetID
  Inner Join tblState On tblState.State = tblAssetCustom.State
  Left Join (Select Distinct Top 1000000 tblAssets.AssetID As ID,
        TsysLastscan.Lasttime As QuickFixLastScanned
      From TsysWaittime
        Inner Join TsysLastscan On TsysWaittime.CFGCode = TsysLastscan.CFGcode
        Inner Join tblAssets On tblAssets.AssetID = TsysLastscan.AssetID
      Where TsysWaittime.CFGname = 'QUICKFIX') As QuickFixLastScanned On
    tblAssets.AssetID = QuickFixLastScanned.ID
  Left Join (Select Distinct Top 1000000 tblAssets.AssetID As ID,
        Max(tblErrors.Teller) As ErrorID
      From tblErrors
        Inner Join tblAssets On tblAssets.AssetID = tblErrors.AssetID
      Group By tblAssets.AssetID) As ScanningError On tblAssets.AssetID =
    ScanningError.ID
  Left Join tblErrors On ScanningError.ErrorID = tblErrors.Teller
  Left Join tsysasseterrortypes On tsysasseterrortypes.Errortype =
    tblErrors.ErrorType
  Inner Join tblComputersystem On tblAssets.AssetID = tblComputersystem.AssetID
  Inner Join tblServices On tblAssets.AssetID = tblServices.AssetID
  Inner Join tblServicesUni On tblServicesUni.ServiceuniqueID =
    tblServices.ServiceuniqueID
  Inner Join tblServiceState On tblServiceState.StateID = tblServices.StateID
  Left Join (Select tblRegistry.Value,
        tblRegistry.AssetID
      From tblRegistry
      Where tblRegistry.Valuename = 'UserAuthentication') NLAState On
    tblAssets.AssetID = NLAState.AssetID
  Left Join (Select tblRegistry.Value,
        tblRegistry.AssetID
      From tblRegistry
      Where tblRegistry.Valuename = 'fDenyTSConnections') RDPConnectionState On
    tblAssets.AssetID = RDPConnectionState.AssetID
Where tblAssets.AssetID Not In (Select Top 1000000 tblAssets.AssetID
      From tblAssets Inner Join tsysOS On tsysOS.OScode = tblAssets.OScode
      Where tsysOS.OSname Like 'Win 7%' And tblAssets.SP = 0) And
  tsysOS.OSname Not Like '%2000%' And tsysOS.OSname Not Like '%2016%' And
  tsysOS.OSname Not Like '%win 10%' And tsysOS.OSname Not Like '%2012%' And
  tsysOS.OSname Not Like '%win 8%' And tblServicesUni.Name Like '%TermService%'
  And tsysAssetTypes.AssetTypename Like 'Windows%'
Order By tblAssets.Domain,
  tblAssets.AssetName
Charles.X
#2Esben.D Member Administration Original PosterPosts: 1,933  
posted: 6/19/2019 8:21:58 AM(UTC)
Originally Posted by: heybobby1 Go to Quoted Post
Thanks very much for this Hendrik. I adapted it for our needs to also include NLA status and RDP connection allowed status. Need to add reg values for this.


Thanks! Could you elaborate which registry keys should be scanned?
heybobby1
#3heybobby1 Member Posts: 40  
posted: 6/19/2019 3:02:34 PM(UTC)
Originally Posted by: Esben.D Go to Quoted Post
Thanks! Could you elaborate which registry keys should be scanned?


These are the reg values

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\fDenyTSConnections

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\UserAuthentication


cit_andrew
#4cit_andrew Member Posts: 1  
posted: 6/19/2019 6:05:16 PM(UTC)
Not sure if this is a bug. But I only see Windows 7 machines in the report unless I remove "And tblAssetCustom.State = 1" from the bottom of the report. Otherwise Windows XP, Server 2008, etc, isn't showing for me.
sleague
#5sleague Member Posts: 5  
posted: 6/19/2019 7:34:32 PM(UTC)
Thanks to all, When I read the KB it says to use the KB4490628, but the report being put out have two different KB, which is right?

Thank you
miek_g
#6miek_g Member Posts: 11  
posted: 6/20/2019 3:09:22 PM(UTC)
Awesome report.
My only Question / Concern is does KB4503292 include the Patch?

The 20 computers that showed the rollup KB4499164 no longer pass

I did a scan this morning and based on KB4503292 which is the June 11, 2019 (Monthly Rollup) we have 4 systems (in Active Directory) that do not have the patch on, based on the KB4499164 or KB4499175 ALL of the computers failed.

Hendrik.VE
#7Hendrik.VE Member Posts: 28  
posted: 6/21/2019 7:35:16 AM(UTC)
From https://www.computerworl...thly-rollups-differ.html

What's in the monthly rollup? The Windows 7 and 8.1 monthly rollups include not only this month's security patches, but also all past security and non-security fixes, going back to at least October 2016, and possibly further. In other words, a monthly rollup is a superset of the month's security-only.

So the June Monthly Rollup should also fix the RDP vulnerability, meaning you need to adapt the report to include all monthly rollups after the May Rollup (end the indication which KB to install).
Charles.X
#8Esben.D Member Administration Original PosterPosts: 1,933  
posted: 6/21/2019 9:52:22 AM(UTC)
Originally Posted by: cit_andrew Go to Quoted Post
Not sure if this is a bug. But I only see Windows 7 machines in the report unless I remove "And tblAssetCustom.State = 1" from the bottom of the report. Otherwise Windows XP, Server 2008, etc, isn't showing for me.


That would indicate that your other assets are not "active" but have some other state.

Originally Posted by: sleague Go to Quoted Post
Thanks to all, When I read the KB it says to use the KB4490628, but the report being put out have two different KB, which is right?

Thank you


One is the security only patch from Microsoft, the other is the complete rollup patch. Either one should mitigate.

Originally Posted by: miek_g Go to Quoted Post
Awesome report.
My only Question / Concern is does KB4503292 include the Patch?

The 20 computers that showed the rollup KB4499164 no longer pass

I did a scan this morning and based on KB4503292 which is the June 11, 2019 (Monthly Rollup) we have 4 systems (in Active Directory) that do not have the patch on, based on the KB4499164 or KB4499175 ALL of the computers failed.



I updated the original report to include the security and rollup patches from June.

Argon0
#9Argon0 Member Posts: 38  
posted: 7/26/2019 12:18:11 PM(UTC)
Great Report, really useful.

I have created a deployment package of KB4499164 using was to kick it off. ... And it's been run on several machines, worked fine... And run it against those machines showing vulnerable in the report (also altered the report to focus on a subset of machines which are in vulnerable locations, or have been picked up as being vulnerable via another reporting mechanism).

BUT the package I've created doesn't check if the patch is already installed, the only way I can see to do this is via the condition, which will look at registry keys, fles, OS version, or OS Architecture...

I've noticed that the deployment package is being kicked off by several people, all trying to fix the same problem using the same package, but not letting the patch finish, OR the machines reboot (and scan) before running the deployment again...

So I need to add a check for a registry key to see if the patch is already installed, can someone help?

TVM...
Charles.X
#10Charles.X Member Administration Original PosterPosts: 1,933  
posted: 7/30/2019 10:19:06 AM(UTC)
Best thing to do is to enable the "Rescan Assets" option on your deployment. This will rescan the assets after a deployment has taken place. This should prevent them from being deployed on if your report only has asset in it that do not have the patch.
LinHD
#11LinHD Member Posts: 8  
posted: 11/8/2019 8:07:56 AM(UTC)
Given the first cyber-attack exploiting the BlueKeep RDP flaw spotted in the wild, should the report be updated?
I think it misses considering cumulative updates released after June
jwood.mls
#12jwood.mls Member Posts: 41  
posted: 11/11/2019 4:58:59 PM(UTC)
I completely agree. I was pretty sure I had this mitigated, but none of the reports I'm finding on here are showing this. If the report isn't accurate, it probably should be pulled off of the site, otherwise, please update it.

Active Discussions

Lansweeper iPhone bug again????
by  Mikey!   Go to last post Go to first unread
Last post: Today at 5:55:37 PM(UTC)
Lansweeper deploy app that needs License
by  Guaro5555  
Go to last post Go to first unread
Last post: Today at 3:03:42 PM(UTC)
Lansweeper Scanning FortiAP 221E
by  RKCar   Go to last post Go to first unread
Last post: Today at 1:59:58 PM(UTC)
Lansweeper Hyper-V guests dissapeared and reappeared
by  Cm.Cody   Go to last post Go to first unread
Last post: Today at 11:10:35 AM(UTC)
Lansweeper DB cleanup script
by  William382  
Go to last post Go to first unread
Last post: Yesterday at 4:23:43 PM(UTC)
Lansweeper Installing MS KB with Deploy
by  Esben.D   Go to last post Go to first unread
Last post: Yesterday at 4:01:45 PM(UTC)
Lansweeper Ticket Info Meter incorrect
by  pfalls  
Go to last post Go to first unread
Last post: Yesterday at 3:27:44 PM(UTC)