Zerologon Vulnerability Audit

Discover Zerologon Vulnerable Assets

Microsoft revealed that the vulnerability dubbed "ZeroLogon" is actively being exploited. The vulnerability was first disclosed along with the release of Patch Tuesday August. Since subsequent patches also contain the fixes, updating to the September Patch Tuesday also fixes the problem. However, due to the delay in patching that many companies still maintain, attackers are still able to exploit the vulnerability. Grab the audit below to check if you still have servers that need patching.

You can find all the details about the vulnerability and the potential impact on your IT environment in our Zerologon blog post.

ZeroLogon vulnerability

 

 

 

 

Zerologon Vulnerability Audit Query

Select Distinct Top 1000000 Coalesce(tsysOS.Image,
  tsysAssetTypes.AssetTypeIcon10) As icon,
  tblAssets.AssetID,
  tblAssets.AssetName,
  tblAssets.Domain,
  tblState.Statename As State,
  Case tblAssets.AssetID
    When SubQuery1.AssetID Then 'Up to date'
    Else 'Out of date'
  End As [Patch status],
  tblAssets.Username,
  tblAssets.Userdomain,
  tblAssets.IPAddress,
  tsysIPLocations.IPLocation,
  tblAssetCustom.Manufacturer,
  tblAssetCustom.Model,
  tsysOS.OSname As OS,
  tblAssets.SP,
  Case
    When tsysOS.OScode Like '10.0.10240%' Then '1507'
    When tsysOS.OScode Like '10.0.10586%' Then '1511'
    When tsysOS.OScode Like '10.0.14393%' Then '1607'
    When tsysOS.OScode Like '10.0.15063%' Then '1703'
    When tsysOS.OScode Like '10.0.16299%' Then '1709'
    When tsysOS.OScode Like '10.0.17134%' Then '1803'
    When tsysOS.OScode Like '10.0.17763%' Then '1809'
    When tsysOS.OScode Like '10.0.18362%' Then '1903'
    When tsysOS.OScode Like '10.0.18363%' Then '1909'
       When tsysOS.OScode Like '10.0.19041%' Then '2004'
  End As Version,
  tblAssets.Lastseen,
  tblAssets.Lasttried,
  Case
    When tblErrors.ErrorText Is Not Null Or
      tblErrors.ErrorText != '' Then
      'Scanning Error: ' + tsysasseterrortypes.ErrorMsg
    Else ''
  End As ScanningErrors,
  Case
    When tblAssets.AssetID = SubQuery1.AssetID Then ''
    Else Case
        When tsysOS.OSname = 'Win 2008 R2' Then 'KB4571729 or KB4571719 or KB4577051 or KB4577053'
        When tsysOS.OSname = 'Win 2012' Then 'KB4571736 or KB4571702 or KB4577038 or KB4577048'
        When tsysOS.OSname = 'Win 2012 R2' Then 'KB4571703 or KB4571723 or KB4577071 or KB4577066'
        When tsysOS.OSname = 'Win 2016' Then 'KB4571694 or KB4577015'
        When tsysOS.OSname = 'Win 2019' Then 'KB4565349 or KB4570333'
        When tsysOS.OScode Like '10.0.18362' Then 'KB4565351 or KB4574727'
        When tsysOS.OScode Like '10.0.18363' Then 'KB4565351 or KB4574727'
             When tsysOS.OScode Like '10.0.19041' Then 'KB4566782 or KB4571756'
      End
  End As [Install one of these updates],
  Convert(nvarchar,DateDiff(day, QuickFixLastScanned.QuickFixLastScanned,
  GetDate())) + ' days ago' As WindowsUpdateInfoLastScanned,
  Case
    When Convert(nvarchar,DateDiff(day, QuickFixLastScanned.QuickFixLastScanned,
      GetDate())) > 3 Then
      'Windows update information may not be up to date. We recommend rescanning this machine.'
    Else ''
  End As Comment,
  Case tblAssets.AssetID
    When SubQuery1.AssetID Then '#d4f4be'
    Else '#ffadad'
  End As backgroundcolor
From tblAssets
  Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
  Inner Join tsysAssetTypes On tsysAssetTypes.AssetType = tblAssets.Assettype
  Inner Join tblOperatingsystem On tblOperatingsystem.AssetID =
    tblAssets.AssetID
  Inner Join tblState On tblState.State = tblAssetCustom.State
  Inner Join tblComputersystem On tblAssets.AssetID = tblComputersystem.AssetID
  Left Join tsysOS On tsysOS.OScode = tblAssets.OScode
  Left Join (Select Top 1000000 tblQuickFixEngineering.AssetID
      From tblQuickFixEngineering
        Inner Join tblQuickFixEngineeringUni On tblQuickFixEngineeringUni.QFEID
          = tblQuickFixEngineering.QFEID
      Where tblQuickFixEngineeringUni.HotFixID In ('KB4571729','KB4571719','KB4577051',
         'KB4577053','KB4571736','KB4571702','KB4577038','KB4577048','KB4571703',
         'KB4571723','KB4577071','KB4577066','KB4571694','KB4577015','KB4565349',
         'KB4570333','KB4565351','KB4574727','KB4565351','KB4574727','KB4566782','KB4571756')) As
  SubQuery1 On tblAssets.AssetID = SubQuery1.AssetID
  Left Join tsysIPLocations On tblAssets.IPNumeric >= tsysIPLocations.StartIP
    And tblAssets.IPNumeric <= tsysIPLocations.EndIP Left Join (Select Distinct Top 1000000 TsysLastscan.AssetID As ID, TsysLastscan.Lasttime As QuickFixLastScanned From TsysWaittime Inner Join TsysLastscan On TsysWaittime.CFGCode = TsysLastscan.CFGcode Where TsysWaittime.CFGname = 'QUICKFIX') As QuickFixLastScanned On tblAssets.AssetID = QuickFixLastScanned.ID Left Join (Select Distinct Top 1000000 tblErrors.AssetID As ID, Max(tblErrors.Teller) As ErrorID From tblErrors Group By tblErrors.AssetID) As ScanningError On tblAssets.AssetID = ScanningError.ID Left Join tblErrors On ScanningError.ErrorID = tblErrors.Teller Left Join tsysasseterrortypes On tsysasseterrortypes.Errortype = tblErrors.ErrorType Inner Join (Select Distinct Top 1000000 tblComputersystem.AssetID As ID From tblComputersystem Where tblComputersystem.Domainrole > 3) As DC On
    tblAssets.AssetID = DC.ID
Where tsysOS.OSname in ('Win 2008 R2','Win 2012','Win 2012 R2','Win 2016','Win 2019') OR
(tsysOS.OScode Like '10.0.18362' OR tsysOS.OScode Like '10.0.18363' OR tsysOS.OScode Like '10.0.19041') 
And tblAssetCustom.State = 1 And
  tsysAssetTypes.AssetTypename Like 'Windows%'
Order By tblAssets.Domain,
  tblAssets.AssetName

Audit and Take Action in 3 Easy Steps

Download-Install-Lansweeper

1. Download & Install Lansweeper

Save-and-Run-the-Report

3. Run the Audit & Take Action

Download Lansweeper to Run this Audit

Harness the Power of Reporting