mirror of
https://github.com/empayre/fleet.git
synced 2024-11-06 17:05:18 +00:00
02944660ee
Proposal for detecting Windows vulnerabilities
139 lines
29 KiB
Markdown
139 lines
29 KiB
Markdown
# Detecting Windows OS vulnerabilities
|
||
|
||
The first step in detecting Windows vulnerabilities is understanding how they are remediated. Using
|
||
the CISA list of know vulnerabilities as a sample, it was determined that all vulnerability
|
||
remediations follow the form of *applying some software patch* and then *following some
|
||
steps (if any)* so it follows that to determine if a system is susceptible to a vulnerability we will need to
|
||
check whether a specific software patch was applied and also if the provided steps were followed. So
|
||
basically we have three problems we need to solve:
|
||
1. We need a list of vulnerabilities + remediations. Each remediation is composed of a patch + some steps.
|
||
2. For a given vulnerability we need to determine whether the proper patch was applied.
|
||
3. For a given vulnerability we need to determine whether the steps (if any) were followed.
|
||
|
||
## List of vulnerabilities
|
||
|
||
To get the list of vulnerabilities we can use the [Microsoft Security Updates API](https://api.msrc.microsoft.com/cvrf/v2.0/swagger/index). This [endpoint](api.msrc.microsoft.com/cvrf/v2.0/document/yyyy-mm) in particular exposes all the security updates released for yyyy-mmm formatted according to the [Common Vulnerability Reporting Framework](http://docs.oasis-open.org/csaf/csaf-cvrf/v1.2/csaf-cvrf-v1.2.html#:~:text=The%20CSAF%20Common%20Vulnerability%20Reporting,impact%20and%20remediation%20among%20interested) (cvrf) format, this cvrf document will include entries for vulnerabilities, how to patch them and what products are affected.
|
||
|
||
For example, say we have a host running *Windows 10 Version 21H2 x64* and we want to determine whether that host is susceptible to *CVE-2022-26925*. Looking at https://api.msrc.microsoft.com/cvrf/v2.0/document/2022-May we can see that *Windows 10 Version 21H2 for x64* is assigned the Product ID **11931**:
|
||
|
||
```
|
||
...
|
||
<prod:ProductTree>
|
||
...
|
||
<prod:Branch Type="Product Family" Name="Windows">
|
||
...
|
||
<prod:FullProductName ProductID="11931">Windows 10 Version 21H2 for x64-based Systems</prod:FullProductName>
|
||
...
|
||
</prod:Branch>
|
||
…
|
||
<prod:ProductTree>
|
||
…
|
||
```
|
||
|
||
Looking at the matching vulnerability element (`<vuln:Vulnerability Ordinal="47">`) *CVE-2022-26925*, we can see that
|
||
*Windows 10 Version 21H2 x64* is indeed affected by it:
|
||
|
||
```
|
||
<vuln:ProductStatuses>
|
||
<vuln:Status Type="Known Affected">
|
||
...
|
||
<vuln:ProductID>11931</vuln:ProductID>
|
||
...
|
||
</vuln:Status>
|
||
</vuln:ProductStatuses>
|
||
```
|
||
|
||
And also the remediation steps:
|
||
|
||
```
|
||
<vuln:Remediations>
|
||
…
|
||
<vuln:Remediation Type="Vendor Fix">
|
||
<vuln:Description>5013942</vuln:Description>
|
||
<vuln:URL>https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5013942</vuln:URL>
|
||
<vuln:Supercedence>5012599</vuln:Supercedence>
|
||
..
|
||
<vuln:ProductID>11931</vuln:ProductID>
|
||
...
|
||
<vuln:RestartRequired>Yes</vuln:RestartRequired>
|
||
…
|
||
</vuln:Remediation>
|
||
<vuln:Remediation Type="Known Issue">
|
||
<vuln:Description>5013942</vuln:Description>
|
||
<vuln:URL>https://support.microsoft.com/help/5013942</vuln:URL>
|
||
...
|
||
<vuln:ProductID>11931</vuln:ProductID>
|
||
</vuln:Remediation>
|
||
</vuln:Remediations>
|
||
```
|
||
|
||
For the previous extract we can determine four things:
|
||
1. The vulnerability was patched (‘Vendor Fix’) on the **KB5013942** update.
|
||
2. **KB5013942** supersedes **KB5012599** (this is useful for handling cumulative updates).
|
||
3. After applying **KB5013942** the system will need to be restarted (which can be viewed as an extra step).
|
||
4. There is also some more info about the vulnerability that might include some extra steps to follow (‘Known Issue’).
|
||
|
||
|
||
## Determine whether the proper patch was applied
|
||
|
||
Luckily for us [osquery 5.4](https://github.com/osquery/osquery/pull/7407) will include a new table
|
||
that exposes windows updates, so we won’t need to do much on the osquery data collection side of
|
||
things. Here’s what I get when selecting all from the new table on my Windows test machine (Windows 10 Version 21H2 x64):
|
||
|
||
| client_app_id | date | description | hresult | operation | result_code | server_selection | service_id | support_url | title | update_id | update_revision |
|
||
|---------------------------------------------------------------------|------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------|--------------|-------------|------------------|--------------------------------------|------------------------------------------------|------------------------------------------------------------------------------------------------------------------|--------------------------------------|-----------------|
|
||
| MoUpdateOrchestrator | 1658271402 | Install this update to revise the files that are used to detect viruses, spyware, and other potentially unwanted software. Once you have installed this item, it cannot be removed. | 0 | Installation | Succeeded | WindowsUpdate | | https://go.microsoft.com/fwlink/?LinkId=52661 | Security Intelligence Update for Microsoft Defender Antivirus - KB2267602 (Version 1.371.442.0) | 688fe8b8-e59d-44c8-b083-7ab25a4317f4 | 200 |
|
||
| MoUpdateOrchestrator | 1658270728 | Install this update to resolve issues in Windows. For a complete listing of the issues that are included in this update, see the associated Microsoft Knowledge Base article for more information. After you install this item, you may have to restart your computer. | -2145116140 | Installation | InProgress | Others | 8b24b027-1dee-babb-9a95-3517dfb9c552 | https://support.microsoft.com/help/5015807 | 2022-07 Cumulative Update for Windows 10 Version 21H2 for x64-based Systems (KB5015807) | 3a328459-dd2c-4af7-97db-8424da0d3e72 | 1 |
|
||
| MoUpdateOrchestrator | 1658230218 | Install this update to resolve issues in Windows. For a complete listing of the issues that are included in this update, see the associated Microsoft Knowledge Base article for more information. After you install this item, you may have to restart your computer. | -2147024784 | Installation | Failed | Others | 8b24b027-1dee-babb-9a95-3517dfb9c552 | https://support.microsoft.com/help/5015807 | 2022-07 Cumulative Update for Windows 10 Version 21H2 for x64-based Systems (KB5015807) | 3a328459-dd2c-4af7-97db-8424da0d3e72 | 1 |
|
||
| Windows Defender | 1658228495 | Install this update to revise the files that are used to detect viruses, spyware, and other potentially unwanted software. Once you have installed this item, it cannot be removed. | 0 | Installation | Succeeded | WindowsUpdate | | https://go.microsoft.com/fwlink/?LinkId=52661 | Security Intelligence Update for Microsoft Defender Antivirus - KB2267602 (Version 1.371.415.0) | a0620c31-004f-4e4f-a15c-5172a3d2f3a6 | 200 |
|
||
| MoUpdateOrchestrator | 1658226954 | After the download, this tool runs one time to check your computer for infection by specific, prevalent malicious software (including Blaster, Sasser, and Mydoom) and helps remove any infection that is found. If an infection is found, the tool will display a status report the next time that you start your computer. A new version of the tool will be offered every month. If you want to manually run the tool on your computer, you can download a copy from the Microsoft Download Center, or you can run an online version from microsoft.com. This tool is not a replacement for an antivirus product. To help protect your computer, you should use an antivirus product. | 0 | Installation | Succeeded | WindowsUpdate | | http://support.microsoft.com | Windows Malicious Software Removal Tool x64 - v5.103 (KB890830) | 675d532b-cdd5-4f87-a918-72af430c86a9 | 200 |
|
||
| MoUpdateOrchestrator | 1658226800 | After the download, this tool runs one time to check your computer for infection by specific, prevalent malicious software (including Blaster, Sasser, and Mydoom) and helps remove any infection that is found. If an infection is found, the tool will display a status report the next time that you start your computer. A new version of the tool will be offered every month. If you want to manually run the tool on your computer, you can download a copy from the Microsoft Download Center, or you can run an online version from microsoft.com. This tool is not a replacement for an antivirus product. To help protect your computer, you should use an antivirus product. | -2145124341 | Installation | Aborted | WindowsUpdate | | http://support.microsoft.com | Windows Malicious Software Removal Tool x64 - v5.103 (KB890830) | 675d532b-cdd5-4f87-a918-72af430c86a9 | 200 |
|
||
| MoUpdateOrchestrator | 1658225364 | Install this update to resolve issues in Windows. For a complete listing of the issues that are included in this update, see the associated Microsoft Knowledge Base article for more information. After you install this item, you may have to restart your computer. | 0 | Installation | Succeeded | WindowsUpdate | | http://support.microsoft.com | 2022-06 Cumulative Update for .NET Framework 3.5 and 4.8 for Windows 10 Version 21H2 for x64 (KB5013887) | 17b120c7-57a2-47d3-9128-3b8fa9a22c42 | 200 |
|
||
| MoUpdateOrchestrator | 1658225234 | Install this update to resolve issues in Windows. For a complete listing of the issues that are included in this update, see the associated Microsoft Knowledge Base article for more information. After you install this item, you may have to restart your computer. | -2145124341 | Installation | Aborted | WindowsUpdate | | http://support.microsoft.com | 2022-06 Cumulative Update for .NET Framework 3.5 and 4.8 for Windows 10 Version 21H2 for x64 (KB5013887) | 17b120c7-57a2-47d3-9128-3b8fa9a22c42 | 200 |
|
||
| MoUpdateOrchestrator | 1658225225 | A security issue has been identified in a Microsoft software product that could affect your system. You can help protect your system by installing this update from Microsoft. For a complete listing of the issues that are included in this update, see the associated Microsoft Knowledge Base article. After you install this update, you may have to restart your system. | 0 | Installation | Succeeded | WindowsUpdate | | http://support.microsoft.com | 2022-04 Update for Windows 10 Version 21H2 for x64-based Systems (KB5005463) | 9151c073-854c-474e-8e4c-3b7b067824b1 | 200 |
|
||
| MoUpdateOrchestrator | 1658225201 | A security issue has been identified in a Microsoft software product that could affect your system. You can help protect your system by installing this update from Microsoft. For a complete listing of the issues that are included in this update, see the associated Microsoft Knowledge Base article. After you install this update, you may have to restart your system. | -2145124341 | Installation | Aborted | WindowsUpdate | | http://support.microsoft.com | 2022-04 Update for Windows 10 Version 21H2 for x64-based Systems (KB5005463) | 9151c073-854c-474e-8e4c-3b7b067824b1 | 200 |
|
||
| MoUpdateOrchestrator | 1658224963 | Install this update to resolve issues in Windows. For a complete listing of the issues that are included in this update, see the associated Microsoft Knowledge Base article for more information. After you install this item, you may have to restart your computer. | 0 | Installation | Succeeded | WindowsUpdate | | http://support.microsoft.com | 2022-02 Cumulative Update Preview for .NET Framework 3.5 and 4.8 for Windows 10 Version 21H2 for x64 (KB5010472) | 89858baf-a5ff-4c7e-b81b-037c0c17155a | 200 |
|
||
| MoUpdateOrchestrator | 1658224904 | Install this update to resolve issues in Windows. For a complete listing of the issues that are included in this update, see the associated Microsoft Knowledge Base article for more information. After you install this item, you may have to restart your computer. | -2145124341 | Installation | Aborted | WindowsUpdate | | http://support.microsoft.com | 2022-02 Cumulative Update Preview for .NET Framework 3.5 and 4.8 for Windows 10 Version 21H2 for x64 (KB5010472) | 89858baf-a5ff-4c7e-b81b-037c0c17155a | 200 |
|
||
| MoUpdateOrchestrator | 1658224899 | A security issue has been identified in a Microsoft software product that could affect your system. You can help protect your system by installing this update from Microsoft. For a complete listing of the issues that are included in this update, see the associated Microsoft Knowledge Base article. After you install this update, you may have to restart your system. | -2145116140 | Installation | InProgress | Others | 8b24b027-1dee-babb-9a95-3517dfb9c552 | https://support.microsoft.com/help/4023057 | 2022-04 Update for Windows 10 Version 21H2 for x64-based Systems (KB4023057) | a329b681-ce8c-431d-99f7-052e2901adcb | 1 |
|
||
| MoUpdateOrchestrator | 1658224892 | Install this update to resolve issues in Windows. For a complete listing of the issues that are included in this update, see the associated Microsoft Knowledge Base article for more information. After you install this item, you may have to restart your computer. | -2145124341 | Installation | Aborted | WindowsUpdate | | http://support.microsoft.com | 2022-02 Cumulative Update Preview for .NET Framework 3.5 and 4.8 for Windows 10 Version 21H2 for x64 (KB5010472) | 89858baf-a5ff-4c7e-b81b-037c0c17155a | 200 |
|
||
| Windows Defender | 1658222131 | Install this update to revise the files that are used to detect viruses, spyware, and other potentially unwanted software. Once you have installed this item, it cannot be removed. | 0 | Installation | Succeeded | WindowsUpdate | | https://go.microsoft.com/fwlink/?LinkId=52661 | Security Intelligence Update for Microsoft Defender Antivirus - KB2267602 (Version 1.371.400.0) | e73cc969-7675-4d5f-a635-0dd5511a266b | 200 |
|
||
| Update;ScanForUpdates | 1658190023 | 9NBLGGH3FRZM-1152921505694106457 | -2145124300 | Installation | Failed | Others | 855e8a7c-ecb4-4ca3-b045-1dfa50104289 | | 9NBLGGH3FRZM-Microsoft.VCLibs.140.00 | d82f41c1-893a-4a90-ac94-8f83da52a274 | 1 |
|
||
| MoUpdateOrchestrator | 1658189063 | Install this update to revise the files that are used to detect viruses, spyware, and other potentially unwanted software. Once you have installed this item, it cannot be removed. | 0 | Installation | Succeeded | WindowsUpdate | | https://go.microsoft.com/fwlink/?LinkId=52661 | Security Intelligence Update for Microsoft Defender Antivirus - KB2267602 (Version 1.371.376.0) | 2b325cd4-4ff1-4ba2-aca7-8a2cb19e4633 | 200 |
|
||
| MoUpdateOrchestrator | 1658185542 | Install this update to revise the files that are used to detect viruses, spyware, and other potentially unwanted software. Once you have installed this item, it cannot be removed. | 0 | Installation | Succeeded | WindowsUpdate | | https://go.microsoft.com/fwlink/?LinkId=52661 | Security Intelligence Update for Microsoft Defender Antivirus - KB2267602 (Version 1.371.386.0) | 821547ac-9c27-4397-93bc-d51f0aeb2059 | 200 |
|
||
| Microsoft Defender Antivirus (77BDAF73-B396-481F-9042-AD358843EC24) | 1657929544 | This package will update Microsoft Defender Antivirus antimalware platformΓÇÖs components on the user machine. | 0 | Installation | Succeeded | WindowsUpdate | | https://go.microsoft.com/fwlink/?linkid=862339 | Update for Microsoft Defender Antivirus antimalware platform - KB4052623 (Version 4.18.2205.7) | 2dd6d08b-6754-46b5-bfc8-cde6ad24152f | 200 |
|
||
| MoUpdateOrchestrator | 1657929207 | Install this update to revise the files that are used to detect viruses, spyware, and other potentially unwanted software. Once you have installed this item, it cannot be removed. | 0 | Installation | Succeeded | WindowsUpdate | | https://go.microsoft.com/fwlink/?LinkId=52661 | Security Intelligence Update for Microsoft Defender Antivirus - KB2267602 (Version 1.371.203.0) | 8325b53b-d4a4-4459-849f-5892c92404ae | 200 |
|
||
|
||
|
||
While playing around with this, I did notice what seems to be a bug. There are two entries for **KB5015807**: one marked as Failed which is true, because the first time I tried to install this patch it failed and the other marked as InProgress which is false because the patch was installed correctly.
|
||
|
||
We can store all the props if we want, but I would say that the two most important ones are:
|
||
|
||
- date: To determine when the patch was applied.
|
||
- result_code: To determine whether the update was applied or not.
|
||
- title: To extract the update id.
|
||
|
||
The major complication here will be dealing with the fact that windows updates are cumulative.
|
||
Looking back at our previous example, given the entries in the windows_updates_history table, we
|
||
want to determine whether the system is susceptible to *CVE-2022-26925*, we know that vulnerability
|
||
was patched in **KB5013942** alas, there are no entries matching **KB5013942** in the
|
||
*windows_updates_history* table but, if we look at the security updates for the next month
|
||
https://api.msrc.microsoft.com/cvrf/v2.0/document/2022-Jun we can see that **KB5013942** was
|
||
superseded by **KB5014699** and then if we look at the security updates for the following month
|
||
https://api.msrc.microsoft.com/cvrf/v2.0/document/2022-Jul we can see that **KB5014699** was in
|
||
turn superseded by **KB5015807** which is contained in the windows_updates_history table and thus we can
|
||
say that the host is not susceptible to *CVE-2022-26925*.
|
||
|
||
Given the graph nature of the data, we might want to consider storing the parsed list of vulnerabilities as graph instead of a relational table as we typically do.
|
||
|
||
## Determine whether the steps (if any) were followed
|
||
|
||
This is the hardest part of the problem and probably the bit we might not be able to solve at the
|
||
moment. Not all vulnerability remediations include extra steps, but if they do, they are written in
|
||
natural language as a
|
||
series of steps intended to be followed by a human operator not as a series of
|
||
declarative statements about the system state (like the OVAL definitions we use for detecting
|
||
vulnerabilities in Linux).
|
||
|
||
AFAIK the only step we will be able to check is whether the system was restarted after a patch was
|
||
applied, other types of steps will require either some kind of natural language processing or having
|
||
a human in the middle translating the steps into a parsable format. |