Wednesday, May 17, 2017

Determining whether servers and desktops are protected from WannaCrypt / WannaCry Ransomware

It has been a busy week for most of my clients after the media published articles indicating that major organizations such as the NHS were infected by the WannaCry ransomware cryptoworm. Although a patch for this vulnerability was released as early as March 2017, some of my clients either had a portion of their servers unpatched or all of them since I’ve found it is not uncommon for companies to miss months of patching due to various business related reasons.  There has been a lot of information made available since last week but I’ve found that there are bits and pieces of important ones scattered on different sites so I wanted to write this post to include the information provided by Microsoft that I found useful when assisting clients to determine whether they are protected.

The Microsoft First Patch Released

The first available patch Microsoft made available for this vulnerability was released in March 2017 known as Security Update MS17-010, SMBv1 and information about this could be found at the following Security TechCenter bulletin:

Microsoft Security Bulletin MS17-010 - Critical
https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

Installing the patch above would protect the cryptoworm from spreading to other servers via the legacy SMBv1 protocol and an alternative workaround would be to disable SMBv1 all together which Microsoft recommends to do if the customer was running Windows Vista or later.

Versions of Windows Affected

All version of Windows are affected by the vulnerability and the following table provides the KBs required to protect the operating system:

  • If one of updates is installed on the system, the system is protected.
  • The vulnerability has been fixed in the March 2017 Security update but the March, April and May rollup also includes all previous updates including March security update)
Operating System 2017 March (Security Only) 2016 March (Monthly Quality) 2016 April (Monthly Quality) 2017 May (Monthly Quality) Independent Update
Windows XP / Windows Server 2003 / Windows 8 NA NA NA NA

KB4012598

Windows Vista / Windows Server 2008 NA NA NA NA

KB4012598

Windows 7 / Windows Server 2008 R2

KB4012212

KB4012215

KB4015549

KB4019264

NA
Windows Server 2012

KB4012214

KB4012217

KB4015551

KB4019216

NA

Windows 8.1 / Windows Server 2012 R2

KB4012213

KB4012216

KB4015550

KB4019215

NA
Windows 10 1507 / Windows 10 LTSB 2015 NA

KB4012606

KB4015221

KB4019474

NA

Windows 10 1511

NA

KB4013198

KB4015219

KB4019473

NA
Windows 10 1607 / Windows 10 LTSB 2016 / Windows Server 2016 NA

KB4015438

KB4015217

KB4019472

NA

Determining whether patch is installed

On a Windows Server 2012 or 2008 server, you can use the wmic qfe list command to determine whether the patch is installed.  The following are the commands to execute on a Windows Server 2012 R2 or Windows 8.1 operating system when determining whether the required patch is installed:

wmic qfe list | find "KB4012213"

wmic qfe list | find "KB4012216"

wmic qfe list | find "KB4015550"

wmic qfe list | find "KB4019215"

**Note that if the KB after the find is case sensitive so use capital letters.

If the patches are not installed then no output would be written as shown in the following screenshot:

image

If the patch is found then the following output will be displayed:

image

Patching the Operating System Vulnerability

As mentioned in the Versions of Windows Affected section, the operating system is protected as long as one of the patches is installed so it is always advisable to install the latest rollup package rather than any of the previous rollups or security patch only.  However, if downloading a 200MB+ rollup package for a Windows Server 2012 operating system:

https://www.catalog.update.microsoft.com/Search.aspx?q=KB4019215

image

… is a problem for whatever reason then the alternative option is to download the security patch only which is around 37MB in size:

https://www.catalog.update.microsoft.com/Search.aspx?q=KB4012213

image

Alternative to Patching

If downloading and installing the appropriate patch is not an option then disabling SMBv1 could be an interim solution.  The following are instructions for how to disable SMBv1:

Windows Vista and later

Windows 8.1 or Windows Server 2012 R2 and later

  • For client operating systems:
  1. Open Control Panel, click Programs, and then click Turn Windows features on or off.
  2. In the Windows Features window, clear the SMB1.0/CIFS File Sharing Support checkbox, and then click OK to close the window.
  3. Restart the system.
  • For server operating systems:
  1. Open Server Manager and then click the Manage menu and select Remove Roles and Features.
  2. In the Features window, clear the SMB1.0/CIFS File Sharing Support check box, and then click OK to close the window.
  3. Restart the system.

The following are links to articles that outline the impact of disabling SMBv1:

No comments: