Notification

Icon
Error

BlueKeep Vulnerability

Posted: Tuesday, June 18, 2019 12:54:13 PM(UTC)
Esben.D

Esben.D

Member Administration Original PosterPosts: 1,740
2
Like
Due to this topic getting more attention, I've taken the report Hendrik so kindly posted in the May Patch Tuesday topic to make it easier to find assets that might need patching.

This report gives a complete color-coded overview of all systems vulnerable to the RDS vulnerability (CVE-2019-0708). When the security hotfix is installed OR the Remote Desktop Service is stopped, the affected system is marked as 'not vulnerable'.

This report focusses on Windows XP and 2003, Windows 7 and Windows server 2008 and 2008 R2 as indicated by Microsoft's CVE-2019-0708 advisory

Update: Patches from the June Patch Tuesday have been added to the report.

Code:
Select Distinct Top 1000000 Coalesce(tsysOS.Image,
  tsysAssetTypes.AssetTypeIcon10) As icon,
  tblAssets.AssetID,
  tblAssets.AssetName,
  tblAssets.Domain,
  tblState.Statename As State,
  Case tblAssets.AssetID
    When SubQuery1.AssetID Then 'Yes'
    Else 'No'
  End As [CVE-2019-0708 Patched],
  tblServiceState.State As [RDP Service Status],
  Case
    When tblAssets.AssetID = SubQuery1.AssetID Then 'No'
    When tblServiceState.State Like 'Stopped' Then 'No'
    Else 'Yes'
  End As Vulnerable,
  Case
    When tblAssets.AssetID = SubQuery1.AssetID Then ''
    Else Case
        When tsysOS.OSname Like '%XP%' Or
          tsysOS.OSname Like '%2003%' Then 'Install KB4500331'
        When tsysOS.OSname = 'Win 2008' Then 'Install KB4499149,KB4499180, KB4503273 or KB4503287'
        When tsysOS.OSname = 'Win 7' Or tsysOS.OSname = 'Win 7 RC' Or
          tsysOS.OSname = 'Win 2008 R2' Then 'Install KB4499164, KB4499175, KB4503292 or KB4503269'
      End
  End As [Install one of these updates],
  tsysOS.OSname As OS,
  tblAssets.SP,
  Case
    When tblComputersystem.Domainrole > 1 Then 'Server'
    Else 'Workstation'
  End As [Workstation/Server],
  tsysIPLocations.IPLocation,
  tblAssetCustom.Manufacturer,
  tblAssetCustom.Model,
  tblAssets.Lastseen,
  Convert(nvarchar,DateDiff(day, QuickFixLastScanned.QuickFixLastScanned,
  GetDate())) + ' days ago' As WindowsUpdateInfoLastScanned,
  Case
    When Convert(nvarchar,DateDiff(day, QuickFixLastScanned.QuickFixLastScanned,
      GetDate())) > 7 Then
      'Windows update information may not be up to date. We recommend rescanning this machine.'
    Else ''
  End As Comment,
  Case
    When tblAssets.AssetID = SubQuery1.AssetID Then '#d4f4be'
    When tblServiceState.State Like 'Stopped' Then '#d4f4be'
    Else '#ffadad'
  End As backgroundcolor
From tblAssets
  Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
  Left Join tsysOS On tsysOS.OScode = tblAssets.OScode
  Left Join (Select Top 1000000 tblQuickFixEngineering.AssetID
      From tblQuickFixEngineering
        Inner Join tblQuickFixEngineeringUni On tblQuickFixEngineeringUni.QFEID
          = tblQuickFixEngineering.QFEID
      Where tblQuickFixEngineeringUni.HotFixID In ('KB4499149', 'KB4499180',
        'KB4499164', 'KB4499175', 'KB4500331','KB4503273','KB4503287','KB4503292','KB4503269')) As SubQuery1 On
    tblAssets.AssetID = SubQuery1.AssetID
  Inner Join tsysAssetTypes On tsysAssetTypes.AssetType = tblAssets.Assettype
  Inner Join tblOperatingsystem On tblOperatingsystem.AssetID =
    tblAssets.AssetID
  Left Join tsysIPLocations On tblAssets.IPNumeric >= tsysIPLocations.StartIP
    And tblAssets.IPNumeric <= tsysIPLocations.EndIP
  Inner Join tblState On tblState.State = tblAssetCustom.State
  Left Join (Select Distinct Top 1000000 tblAssets.AssetID As ID,
        TsysLastscan.Lasttime As QuickFixLastScanned
      From TsysWaittime
        Inner Join TsysLastscan On TsysWaittime.CFGCode = TsysLastscan.CFGcode
        Inner Join tblAssets On tblAssets.AssetID = TsysLastscan.AssetID
      Where TsysWaittime.CFGname = 'QUICKFIX') As QuickFixLastScanned On
    tblAssets.AssetID = QuickFixLastScanned.ID
  Left Join (Select Distinct Top 1000000 tblAssets.AssetID As ID,
        Max(tblErrors.Teller) As ErrorID
      From tblErrors
        Inner Join tblAssets On tblAssets.AssetID = tblErrors.AssetID
      Group By tblAssets.AssetID) As ScanningError On tblAssets.AssetID =
    ScanningError.ID
  Left Join tblErrors On ScanningError.ErrorID = tblErrors.Teller
  Left Join tsysasseterrortypes On tsysasseterrortypes.Errortype =
    tblErrors.ErrorType
  Inner Join tblComputersystem On tblAssets.AssetID = tblComputersystem.AssetID
  Inner Join tblServices On tblAssets.AssetID = tblServices.AssetID
  Inner Join tblServicesUni On tblServicesUni.ServiceuniqueID =
    tblServices.ServiceuniqueID
  Inner Join tblServiceState On tblServiceState.StateID = tblServices.StateID
Where tblAssets.AssetID Not In (Select Top 1000000 tblAssets.AssetID
      From tblAssets Inner Join tsysOS On tsysOS.OScode = tblAssets.OScode
      Where tsysOS.OSname Like 'Win 7%' And tblAssets.SP = 0) And
  tsysOS.OSname Not Like '%2000%' And tsysOS.OSname Not Like '%2016%' And
  tsysOS.OSname Not Like '%win 10%' And tsysOS.OSname Not Like '%2012%' And
  tsysOS.OSname Not Like '%8.1%' And
  tsysOS.OSname Not Like '%2019%' And tblServicesUni.Name Like '%TermService%'
  And tsysAssetTypes.AssetTypename Like 'Windows%' And tblAssetCustom.State = 1
Order By tblAssets.Domain,
  tblAssets.AssetName
heybobby1
#1heybobby1 Member Posts: 39  
posted: 6/18/2019 5:21:58 PM(UTC)
Thanks very much for this Hendrik. I adapted it for our needs to also include NLA status and RDP connection allowed status. Need to add reg values for this.

Edited to add June monthly patches.

Code:
Select Distinct Top 1000000 Coalesce(tsysOS.Image,
  tsysAssetTypes.AssetTypeIcon10) As icon,
  tblAssets.AssetID,
  tblAssets.AssetName,
  tblAssets.Domain,
  tsysOS.OSname As OS,
  Case
    When tblComputersystem.Domainrole > 1 Then 'Server'
    Else 'Workstation'
  End As [Workstation/Server],
  Case
    When RDPConnectionState.Value = '0' Then 'Yes'
    When RDPConnectionState.Value = '1' Then 'No'
    Else 'Rescan needed'
  End As [RDPConnectionAllowed (Yes/No)],
  Case tblAssets.AssetID
    When PatchState.AssetID Then 'Yes'
    Else 'No'
  End As [Patched (Yes/No)],
  Case
    When NLAState.Value = '1' Then 'On'
    When NLAState.Value = '0' Then 'Off'
    Else 'Rescan needed'
  End As [NLA (On/Off)],
  tblServiceState.State As RDPServiceStatus,
  Case
    When tblAssets.AssetID = PatchState.AssetID Then 'No'
    When NLAState.Value = '1' Then 'Partially mitigated'
    Else Case
        When RDPConnectionState.Value = '0' Then 'Yes'
        When RDPConnectionState.Value = '1' Then 'No'
        Else 'Rescan needed'
      End
  End As [Vulnerable (Yes/No/Partially mitigated)],
  Case
    When RDPConnectionState.Value = '' Then ''
    When RDPConnectionState.Value = '1' Then ''
    When tblAssets.AssetID = PatchState.AssetID Then ''
    Else Case
        When tsysOS.OSname Like '%XP%' Or
          tsysOS.OSname Like '%2003%' Then 'Install KB4500331'
        When tsysOS.OSname = 'Win 2008' Then 'Install KB4503273 or KB4499180'
        When tsysOS.OSname = 'Win 7' Or tsysOS.OSname = 'Win 7 RC' Or
          tsysOS.OSname = 'Win 2008 R2' Then 'Install KB4503292 or KB4499175'
      End
  End As ActionRequired,
  Convert(nvarchar,DateDiff(day, QuickFixLastScanned.QuickFixLastScanned,
  GetDate())) + ' days ago' As WindowsUpdateInfoLastScanned,
  Case
    When Convert(nvarchar,DateDiff(day, QuickFixLastScanned.QuickFixLastScanned,
      GetDate())) > 7 Then 'Windows update information may not be up to date.'
    Else ''
  End As Comment,
  Case
    When tblAssets.AssetID = PatchState.AssetID Then '#d4f4be'
    When RDPConnectionState.Value = '1' Then '#d4f4be'
    When NLAState.Value = '1' Then '#fada5e'
    Else '#ffadad'
  End As backgroundcolor,
  tblAssetCustom.Custom1 As Office,
  tblAssetCustom.Custom2 As Country,
  tblAssets.Lastseen,
  tblAssetCustom.Custom3 As [User],
  tblAssets.Username As Lastuser,
  tblState.Statename As State
From tblAssets
  Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
  Left Join tsysOS On tsysOS.OScode = tblAssets.OScode
  Left Join (Select Top 1000000 tblQuickFixEngineering.AssetID
      From tblQuickFixEngineering
        Inner Join tblQuickFixEngineeringUni On tblQuickFixEngineeringUni.QFEID
          = tblQuickFixEngineering.QFEID
      Where tblQuickFixEngineeringUni.HotFixID In ('KB4503273', 'KB4499149',
        'KB4499180', 'KB4503292', 'KB4499164', 'KB4499175', 'KB4500331')) As
  PatchState On tblAssets.AssetID = PatchState.AssetID
  Inner Join tsysAssetTypes On tsysAssetTypes.AssetType = tblAssets.Assettype
  Inner Join tblOperatingsystem On tblOperatingsystem.AssetID =
    tblAssets.AssetID
  Inner Join tblState On tblState.State = tblAssetCustom.State
  Left Join (Select Distinct Top 1000000 tblAssets.AssetID As ID,
        TsysLastscan.Lasttime As QuickFixLastScanned
      From TsysWaittime
        Inner Join TsysLastscan On TsysWaittime.CFGCode = TsysLastscan.CFGcode
        Inner Join tblAssets On tblAssets.AssetID = TsysLastscan.AssetID
      Where TsysWaittime.CFGname = 'QUICKFIX') As QuickFixLastScanned On
    tblAssets.AssetID = QuickFixLastScanned.ID
  Left Join (Select Distinct Top 1000000 tblAssets.AssetID As ID,
        Max(tblErrors.Teller) As ErrorID
      From tblErrors
        Inner Join tblAssets On tblAssets.AssetID = tblErrors.AssetID
      Group By tblAssets.AssetID) As ScanningError On tblAssets.AssetID =
    ScanningError.ID
  Left Join tblErrors On ScanningError.ErrorID = tblErrors.Teller
  Left Join tsysasseterrortypes On tsysasseterrortypes.Errortype =
    tblErrors.ErrorType
  Inner Join tblComputersystem On tblAssets.AssetID = tblComputersystem.AssetID
  Inner Join tblServices On tblAssets.AssetID = tblServices.AssetID
  Inner Join tblServicesUni On tblServicesUni.ServiceuniqueID =
    tblServices.ServiceuniqueID
  Inner Join tblServiceState On tblServiceState.StateID = tblServices.StateID
  Left Join (Select tblRegistry.Value,
        tblRegistry.AssetID
      From tblRegistry
      Where tblRegistry.Valuename = 'UserAuthentication') NLAState On
    tblAssets.AssetID = NLAState.AssetID
  Left Join (Select tblRegistry.Value,
        tblRegistry.AssetID
      From tblRegistry
      Where tblRegistry.Valuename = 'fDenyTSConnections') RDPConnectionState On
    tblAssets.AssetID = RDPConnectionState.AssetID
Where tblAssets.AssetID Not In (Select Top 1000000 tblAssets.AssetID
      From tblAssets Inner Join tsysOS On tsysOS.OScode = tblAssets.OScode
      Where tsysOS.OSname Like 'Win 7%' And tblAssets.SP = 0) And
  tsysOS.OSname Not Like '%2000%' And tsysOS.OSname Not Like '%2016%' And
  tsysOS.OSname Not Like '%win 10%' And tsysOS.OSname Not Like '%2012%' And
  tsysOS.OSname Not Like '%win 8%' And tblServicesUni.Name Like '%TermService%'
  And tsysAssetTypes.AssetTypename Like 'Windows%'
Order By tblAssets.Domain,
  tblAssets.AssetName
Esben.D
#2Esben.D Member Administration Original PosterPosts: 1,740  
posted: 6/19/2019 8:21:58 AM(UTC)
Originally Posted by: heybobby1 Go to Quoted Post
Thanks very much for this Hendrik. I adapted it for our needs to also include NLA status and RDP connection allowed status. Need to add reg values for this.


Thanks! Could you elaborate which registry keys should be scanned?
heybobby1
#3heybobby1 Member Posts: 39  
posted: 6/19/2019 3:02:34 PM(UTC)
Originally Posted by: Esben.D Go to Quoted Post
Thanks! Could you elaborate which registry keys should be scanned?


These are the reg values

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\fDenyTSConnections

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\UserAuthentication


cit_andrew
#4cit_andrew Member Posts: 1  
posted: 6/19/2019 6:05:16 PM(UTC)
Not sure if this is a bug. But I only see Windows 7 machines in the report unless I remove "And tblAssetCustom.State = 1" from the bottom of the report. Otherwise Windows XP, Server 2008, etc, isn't showing for me.
sleague
#5sleague Member Posts: 5  
posted: 6/19/2019 7:34:32 PM(UTC)
Thanks to all, When I read the KB it says to use the KB4490628, but the report being put out have two different KB, which is right?

Thank you
miek_g
#6miek_g Member Posts: 10  
posted: 6/20/2019 3:09:22 PM(UTC)
Awesome report.
My only Question / Concern is does KB4503292 include the Patch?

The 20 computers that showed the rollup KB4499164 no longer pass

I did a scan this morning and based on KB4503292 which is the June 11, 2019 (Monthly Rollup) we have 4 systems (in Active Directory) that do not have the patch on, based on the KB4499164 or KB4499175 ALL of the computers failed.

Hendrik.VE
#7Hendrik.VE Member Posts: 18  
posted: 6/21/2019 7:35:16 AM(UTC)
From https://www.computerworl...hly-rollups-differ.html

What's in the monthly rollup? The Windows 7 and 8.1 monthly rollups include not only this month's security patches, but also all past security and non-security fixes, going back to at least October 2016, and possibly further. In other words, a monthly rollup is a superset of the month's security-only.

So the June Monthly Rollup should also fix the RDP vulnerability, meaning you need to adapt the report to include all monthly rollups after the May Rollup (end the indication which KB to install).
Esben.D
#8Esben.D Member Administration Original PosterPosts: 1,740  
posted: 6/21/2019 9:52:22 AM(UTC)
Originally Posted by: cit_andrew Go to Quoted Post
Not sure if this is a bug. But I only see Windows 7 machines in the report unless I remove "And tblAssetCustom.State = 1" from the bottom of the report. Otherwise Windows XP, Server 2008, etc, isn't showing for me.


That would indicate that your other assets are not "active" but have some other state.

Originally Posted by: sleague Go to Quoted Post
Thanks to all, When I read the KB it says to use the KB4490628, but the report being put out have two different KB, which is right?

Thank you


One is the security only patch from Microsoft, the other is the complete rollup patch. Either one should mitigate.

Originally Posted by: miek_g Go to Quoted Post
Awesome report.
My only Question / Concern is does KB4503292 include the Patch?

The 20 computers that showed the rollup KB4499164 no longer pass

I did a scan this morning and based on KB4503292 which is the June 11, 2019 (Monthly Rollup) we have 4 systems (in Active Directory) that do not have the patch on, based on the KB4499164 or KB4499175 ALL of the computers failed.



I updated the original report to include the security and rollup patches from June.

Active Discussions

Lansweeper Lansweeper Not Saving New Asset
by  Esben.D   Go to last post Go to first unread
Last post: Today at 3:54:17 PM(UTC)
Lansweeper Office365: Sharepoint library permissions
by  n.klug  
Go to last post Go to first unread
Last post: Today at 8:47:24 AM(UTC)
Lansweeper Update relation: Owned by from Active Directory
by  davdyv   Go to last post Go to first unread
Last post: Today at 8:03:06 AM(UTC)
Lansweeper Uptime incorrect
by  CyberCitizen  
Go to last post Go to first unread
Last post: Today at 1:29:08 AM(UTC)
Lansweeper Email configuration
by  Ian.Prentice  
Go to last post Go to first unread
Last post: 7/19/2019 3:14:04 PM(UTC)
Lansweeper InTune Scanning not showing all devices
by  TBRIT   Go to last post Go to first unread
Last post: 7/19/2019 3:12:03 PM(UTC)
Lansweeper Unique Custom Fields
by  Hendrik.VE  
Go to last post Go to first unread
Last post: 7/19/2019 11:52:35 AM(UTC)