fleet/proposals/Fleet-Windows-OS-vulns.md
Juan Fernandez 02944660ee
Feature 6588: Proposal for detecting Windows vulnerabilities (#6742)
Proposal for detecting Windows vulnerabilities
2022-08-05 10:14:30 -04:00

29 KiB
Raw Blame History

Detecting Windows OS vulnerabilities

The first step in detecting Windows vulnerabilities is understanding how they are remediated. Using the CISA list of know vulnerabilities as a sample, it was determined that all vulnerability remediations follow the form of applying some software patch and then following some steps (if any) so it follows that to determine if a system is susceptible to a vulnerability we will need to check whether a specific software patch was applied and also if the provided steps were followed. So basically we have three problems we need to solve:

  1. We need a list of vulnerabilities + remediations. Each remediation is composed of a patch + some steps.
  2. For a given vulnerability we need to determine whether the proper patch was applied.
  3. For a given vulnerability we need to determine whether the steps (if any) were followed.

List of vulnerabilities

To get the list of vulnerabilities we can use the Microsoft Security Updates API. This endpoint in particular exposes all the security updates released for yyyy-mmm formatted according to the Common Vulnerability Reporting Framework (cvrf) format, this cvrf document will include entries for vulnerabilities, how to patch them and what products are affected.

For example, say we have a host running Windows 10 Version 21H2 x64 and we want to determine whether that host is susceptible to CVE-2022-26925. Looking at https://api.msrc.microsoft.com/cvrf/v2.0/document/2022-May we can see that Windows 10 Version 21H2 for x64 is assigned the Product ID 11931:

...
<prod:ProductTree>
    ...
    <prod:Branch Type="Product Family" Name="Windows">
    ...
        <prod:FullProductName ProductID="11931">Windows 10 Version 21H2 for x64-based Systems</prod:FullProductName>
        ...
    </prod:Branch>
    …
<prod:ProductTree>
…

Looking at the matching vulnerability element (<vuln:Vulnerability Ordinal="47">) CVE-2022-26925, we can see that Windows 10 Version 21H2 x64 is indeed affected by it:

<vuln:ProductStatuses>
    <vuln:Status Type="Known Affected">
    ...
        <vuln:ProductID>11931</vuln:ProductID>
    ...
    </vuln:Status>
</vuln:ProductStatuses>

And also the remediation steps:

<vuln:Remediations>
…
    <vuln:Remediation Type="Vendor Fix">
        <vuln:Description>5013942</vuln:Description>
        <vuln:URL>https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5013942</vuln:URL>
        <vuln:Supercedence>5012599</vuln:Supercedence>
        ..
        <vuln:ProductID>11931</vuln:ProductID>
        ...
        <vuln:RestartRequired>Yes</vuln:RestartRequired>
        …
    </vuln:Remediation>
    <vuln:Remediation Type="Known Issue">
        <vuln:Description>5013942</vuln:Description>
        <vuln:URL>https://support.microsoft.com/help/5013942</vuln:URL>
        ...
        <vuln:ProductID>11931</vuln:ProductID>
    </vuln:Remediation>
</vuln:Remediations>

For the previous extract we can determine four things:

  1. The vulnerability was patched (Vendor Fix) on the KB5013942 update.
  2. KB5013942 supersedes KB5012599 (this is useful for handling cumulative updates).
  3. After applying KB5013942 the system will need to be restarted (which can be viewed as an extra step).
  4. There is also some more info about the vulnerability that might include some extra steps to follow (Known Issue).

Determine whether the proper patch was applied

Luckily for us osquery 5.4 will include a new table that exposes windows updates, so we wont need to do much on the osquery data collection side of things. Heres what I get when selecting all from the new table on my Windows test machine (Windows 10 Version 21H2 x64):

client_app_id date description hresult operation result_code server_selection service_id support_url title update_id update_revision
MoUpdateOrchestrator 1658271402 Install this update to revise the files that are used to detect viruses, spyware, and other potentially unwanted software. Once you have installed this item, it cannot be removed. 0 Installation Succeeded WindowsUpdate https://go.microsoft.com/fwlink/?LinkId=52661 Security Intelligence Update for Microsoft Defender Antivirus - KB2267602 (Version 1.371.442.0) 688fe8b8-e59d-44c8-b083-7ab25a4317f4 200
MoUpdateOrchestrator 1658270728 Install this update to resolve issues in Windows. For a complete listing of the issues that are included in this update, see the associated Microsoft Knowledge Base article for more information. After you install this item, you may have to restart your computer. -2145116140 Installation InProgress Others 8b24b027-1dee-babb-9a95-3517dfb9c552 https://support.microsoft.com/help/5015807 2022-07 Cumulative Update for Windows 10 Version 21H2 for x64-based Systems (KB5015807) 3a328459-dd2c-4af7-97db-8424da0d3e72 1
MoUpdateOrchestrator 1658230218 Install this update to resolve issues in Windows. For a complete listing of the issues that are included in this update, see the associated Microsoft Knowledge Base article for more information. After you install this item, you may have to restart your computer. -2147024784 Installation Failed Others 8b24b027-1dee-babb-9a95-3517dfb9c552 https://support.microsoft.com/help/5015807 2022-07 Cumulative Update for Windows 10 Version 21H2 for x64-based Systems (KB5015807) 3a328459-dd2c-4af7-97db-8424da0d3e72 1
Windows Defender 1658228495 Install this update to revise the files that are used to detect viruses, spyware, and other potentially unwanted software. Once you have installed this item, it cannot be removed. 0 Installation Succeeded WindowsUpdate https://go.microsoft.com/fwlink/?LinkId=52661 Security Intelligence Update for Microsoft Defender Antivirus - KB2267602 (Version 1.371.415.0) a0620c31-004f-4e4f-a15c-5172a3d2f3a6 200
MoUpdateOrchestrator 1658226954 After the download, this tool runs one time to check your computer for infection by specific, prevalent malicious software (including Blaster, Sasser, and Mydoom) and helps remove any infection that is found. If an infection is found, the tool will display a status report the next time that you start your computer. A new version of the tool will be offered every month. If you want to manually run the tool on your computer, you can download a copy from the Microsoft Download Center, or you can run an online version from microsoft.com. This tool is not a replacement for an antivirus product. To help protect your computer, you should use an antivirus product. 0 Installation Succeeded WindowsUpdate http://support.microsoft.com Windows Malicious Software Removal Tool x64 - v5.103 (KB890830) 675d532b-cdd5-4f87-a918-72af430c86a9 200
MoUpdateOrchestrator 1658226800 After the download, this tool runs one time to check your computer for infection by specific, prevalent malicious software (including Blaster, Sasser, and Mydoom) and helps remove any infection that is found. If an infection is found, the tool will display a status report the next time that you start your computer. A new version of the tool will be offered every month. If you want to manually run the tool on your computer, you can download a copy from the Microsoft Download Center, or you can run an online version from microsoft.com. This tool is not a replacement for an antivirus product. To help protect your computer, you should use an antivirus product. -2145124341 Installation Aborted WindowsUpdate http://support.microsoft.com Windows Malicious Software Removal Tool x64 - v5.103 (KB890830) 675d532b-cdd5-4f87-a918-72af430c86a9 200
MoUpdateOrchestrator 1658225364 Install this update to resolve issues in Windows. For a complete listing of the issues that are included in this update, see the associated Microsoft Knowledge Base article for more information. After you install this item, you may have to restart your computer. 0 Installation Succeeded WindowsUpdate http://support.microsoft.com 2022-06 Cumulative Update for .NET Framework 3.5 and 4.8 for Windows 10 Version 21H2 for x64 (KB5013887) 17b120c7-57a2-47d3-9128-3b8fa9a22c42 200
MoUpdateOrchestrator 1658225234 Install this update to resolve issues in Windows. For a complete listing of the issues that are included in this update, see the associated Microsoft Knowledge Base article for more information. After you install this item, you may have to restart your computer. -2145124341 Installation Aborted WindowsUpdate http://support.microsoft.com 2022-06 Cumulative Update for .NET Framework 3.5 and 4.8 for Windows 10 Version 21H2 for x64 (KB5013887) 17b120c7-57a2-47d3-9128-3b8fa9a22c42 200
MoUpdateOrchestrator 1658225225 A security issue has been identified in a Microsoft software product that could affect your system. You can help protect your system by installing this update from Microsoft. For a complete listing of the issues that are included in this update, see the associated Microsoft Knowledge Base article. After you install this update, you may have to restart your system. 0 Installation Succeeded WindowsUpdate http://support.microsoft.com 2022-04 Update for Windows 10 Version 21H2 for x64-based Systems (KB5005463) 9151c073-854c-474e-8e4c-3b7b067824b1 200
MoUpdateOrchestrator 1658225201 A security issue has been identified in a Microsoft software product that could affect your system. You can help protect your system by installing this update from Microsoft. For a complete listing of the issues that are included in this update, see the associated Microsoft Knowledge Base article. After you install this update, you may have to restart your system. -2145124341 Installation Aborted WindowsUpdate http://support.microsoft.com 2022-04 Update for Windows 10 Version 21H2 for x64-based Systems (KB5005463) 9151c073-854c-474e-8e4c-3b7b067824b1 200
MoUpdateOrchestrator 1658224963 Install this update to resolve issues in Windows. For a complete listing of the issues that are included in this update, see the associated Microsoft Knowledge Base article for more information. After you install this item, you may have to restart your computer. 0 Installation Succeeded WindowsUpdate http://support.microsoft.com 2022-02 Cumulative Update Preview for .NET Framework 3.5 and 4.8 for Windows 10 Version 21H2 for x64 (KB5010472) 89858baf-a5ff-4c7e-b81b-037c0c17155a 200
MoUpdateOrchestrator 1658224904 Install this update to resolve issues in Windows. For a complete listing of the issues that are included in this update, see the associated Microsoft Knowledge Base article for more information. After you install this item, you may have to restart your computer. -2145124341 Installation Aborted WindowsUpdate http://support.microsoft.com 2022-02 Cumulative Update Preview for .NET Framework 3.5 and 4.8 for Windows 10 Version 21H2 for x64 (KB5010472) 89858baf-a5ff-4c7e-b81b-037c0c17155a 200
MoUpdateOrchestrator 1658224899 A security issue has been identified in a Microsoft software product that could affect your system. You can help protect your system by installing this update from Microsoft. For a complete listing of the issues that are included in this update, see the associated Microsoft Knowledge Base article. After you install this update, you may have to restart your system. -2145116140 Installation InProgress Others 8b24b027-1dee-babb-9a95-3517dfb9c552 https://support.microsoft.com/help/4023057 2022-04 Update for Windows 10 Version 21H2 for x64-based Systems (KB4023057) a329b681-ce8c-431d-99f7-052e2901adcb 1
MoUpdateOrchestrator 1658224892 Install this update to resolve issues in Windows. For a complete listing of the issues that are included in this update, see the associated Microsoft Knowledge Base article for more information. After you install this item, you may have to restart your computer. -2145124341 Installation Aborted WindowsUpdate http://support.microsoft.com 2022-02 Cumulative Update Preview for .NET Framework 3.5 and 4.8 for Windows 10 Version 21H2 for x64 (KB5010472) 89858baf-a5ff-4c7e-b81b-037c0c17155a 200
Windows Defender 1658222131 Install this update to revise the files that are used to detect viruses, spyware, and other potentially unwanted software. Once you have installed this item, it cannot be removed. 0 Installation Succeeded WindowsUpdate https://go.microsoft.com/fwlink/?LinkId=52661 Security Intelligence Update for Microsoft Defender Antivirus - KB2267602 (Version 1.371.400.0) e73cc969-7675-4d5f-a635-0dd5511a266b 200
Update;ScanForUpdates 1658190023 9NBLGGH3FRZM-1152921505694106457 -2145124300 Installation Failed Others 855e8a7c-ecb4-4ca3-b045-1dfa50104289 9NBLGGH3FRZM-Microsoft.VCLibs.140.00 d82f41c1-893a-4a90-ac94-8f83da52a274 1
MoUpdateOrchestrator 1658189063 Install this update to revise the files that are used to detect viruses, spyware, and other potentially unwanted software. Once you have installed this item, it cannot be removed. 0 Installation Succeeded WindowsUpdate https://go.microsoft.com/fwlink/?LinkId=52661 Security Intelligence Update for Microsoft Defender Antivirus - KB2267602 (Version 1.371.376.0) 2b325cd4-4ff1-4ba2-aca7-8a2cb19e4633 200
MoUpdateOrchestrator 1658185542 Install this update to revise the files that are used to detect viruses, spyware, and other potentially unwanted software. Once you have installed this item, it cannot be removed. 0 Installation Succeeded WindowsUpdate https://go.microsoft.com/fwlink/?LinkId=52661 Security Intelligence Update for Microsoft Defender Antivirus - KB2267602 (Version 1.371.386.0) 821547ac-9c27-4397-93bc-d51f0aeb2059 200
Microsoft Defender Antivirus (77BDAF73-B396-481F-9042-AD358843EC24) 1657929544 This package will update Microsoft Defender Antivirus antimalware platformΓÇÖs components on the user machine. 0 Installation Succeeded WindowsUpdate https://go.microsoft.com/fwlink/?linkid=862339 Update for Microsoft Defender Antivirus antimalware platform - KB4052623 (Version 4.18.2205.7) 2dd6d08b-6754-46b5-bfc8-cde6ad24152f 200
MoUpdateOrchestrator 1657929207 Install this update to revise the files that are used to detect viruses, spyware, and other potentially unwanted software. Once you have installed this item, it cannot be removed. 0 Installation Succeeded WindowsUpdate https://go.microsoft.com/fwlink/?LinkId=52661 Security Intelligence Update for Microsoft Defender Antivirus - KB2267602 (Version 1.371.203.0) 8325b53b-d4a4-4459-849f-5892c92404ae 200

While playing around with this, I did notice what seems to be a bug. There are two entries for KB5015807: one marked as Failed which is true, because the first time I tried to install this patch it failed and the other marked as InProgress which is false because the patch was installed correctly.

We can store all the props if we want, but I would say that the two most important ones are:

  • date: To determine when the patch was applied.
  • result_code: To determine whether the update was applied or not.
  • title: To extract the update id.

The major complication here will be dealing with the fact that windows updates are cumulative. Looking back at our previous example, given the entries in the windows_updates_history table, we want to determine whether the system is susceptible to CVE-2022-26925, we know that vulnerability was patched in KB5013942 alas, there are no entries matching KB5013942 in the windows_updates_history table but, if we look at the security updates for the next month https://api.msrc.microsoft.com/cvrf/v2.0/document/2022-Jun we can see that KB5013942 was superseded by KB5014699 and then if we look at the security updates for the following month https://api.msrc.microsoft.com/cvrf/v2.0/document/2022-Jul we can see that KB5014699 was in turn superseded by KB5015807 which is contained in the windows_updates_history table and thus we can say that the host is not susceptible to CVE-2022-26925.

Given the graph nature of the data, we might want to consider storing the parsed list of vulnerabilities as graph instead of a relational table as we typically do.

Determine whether the steps (if any) were followed

This is the hardest part of the problem and probably the bit we might not be able to solve at the moment. Not all vulnerability remediations include extra steps, but if they do, they are written in natural language as a series of steps intended to be followed by a human operator not as a series of declarative statements about the system state (like the OVAL definitions we use for detecting vulnerabilities in Linux).

AFAIK the only step we will be able to check is whether the system was restarted after a patch was applied, other types of steps will require either some kind of natural language processing or having a human in the middle translating the steps into a parsable format.