[now with updated compliance policy template]
So, CVE-2017-0144 https://nvd.nist.gov/vuln/detail/CVE-2017-0144, a vulnerability that was identified about two months ago (published Mar 16 2017), is now being widely exploited in the wild, most visibly impacting hospitals in the UK’s National Health Service to the point that they’ve had to redirect incoming patients to other facilities.
This vulnerability is addressed by Microsoft Bulletin MS17-010, which is also included in OS-specific Security Bulletin (roll-ups) SB17-002, SB17-003, SB17-004. MS17-010 applies to Server 2003 and Server 2008, while SB17-002 applies to Server 2008 R2, SB17-003 applies to Server 2012 R2 and SB17-004 applies to Server 2012 (thanks to Joe Schuler)
Part of what makes the vulnerability so serious is that it doesn’t require direct action by the user, simply having the vulnerability and being on the same network as an infected host can expose your system to the ransomware.
The good news is that the required hotfix is easily identified and applied using either BMC Server Automation or SecOps Response Service. We’ve shown three routes you can use to apply this fix: Patching Job, a Compliance Job, and Vulnerability Remediation (SecOps Response).
We'll shortly post a video for the Patching approach.
For the patching approach, first start by updating your Windows Patch Catalog if it hasn’t updated since at least May 13. Microsoft has released updates for now-unsupported operating systems including Windows XP and Server 2003, that are included in this update. To do this, right-click on your Windows Patch Catalog, and select “Update Catalog”
This task may take a few minutes to complete.
While that is running, you can create a Patch Smartgroup that identifies any “Windows Bulletin” where name equals “MS17-010”. You may also want to include the OS-specific security bulletins SB17-002, SB17-003, SB17-004, which include MS17-010.
And once your catalog update completes, you can run a Patch Analysis (Patching Job) to identify which servers need this patch. To do that, right-click on the new Patch Smart Group, and select “Analyze Patch(s)”:
This will create a Patching Job that focuses on this particular bulletin.
Note that we are analyzing in List mode, using the MS17-010 Patch Smartgroup we just created. Click Next.
If you want to create remediation artifacts (packages and jobs to deploy the patches), click the checkbox at top.
You may need to select appropriate places to save the Packages and Batch/Deploy Jobs if you have not used this feature before, otherwise they will default to the same values used previously. To have the remediation jobs execute either immediately or on a schedule for a later time, click on Deploy Job Options…”,
And select either “Execute job now” or select a time for “Execute selected phases” as appropriate. Here I’ve set this up to start executing at 10PM, or “22:00”.
Click ok, and on the next screen, select the appropriate Server Smartgroup to audit, and click Next.
On the Notification page, I like to send notifications to either the client that owns these systems, or to myself, so I’ve put in my own email address, selected all three conditions: Success, Failed, Aborted, append results to email, and asked it to keep it under 1MB. Click next.
Because I want these results right away, I click “Execute Job Now”, and click Finish:
I will shortly have patching results indicating where I have already applied, and where I still need to apply MS17-010.
Here I see that I have 4 servers that need this patch.
Since I selected to create the remediation objects, and to schedule them, they will run tonight at 10PM.
Once they've executed, we can look at the deploy status of these patches:
In this example, two servers did successfully remediate, but still need a reboot (this is another option in the job options, to reboot after deployment). Some teams will avoid scheduling the reboot to allow them to deploy patches as fast as possible, then reboot when the maintenance window becomes available.
In this case, I'm going to sort by the servers that need the manual reboot, and reboot them directly from BSA by right-clicking on the green checkmarks, and selecting "reboot". (There's also an NSH Script that will reboot servers at scale, and you can always right-click, advanced, Reboot").
Now they'll reboot, and come back up fully patched shortly:
To audit this using Compliance, simply build a rule that looks for whether MS17-010 is installed (This policy is attached as a version-neutral export). Unfortunately, since there's no registry key to inspect for this bulletin, we can't use registry-keys to check.
Let's see how easy this is in SecOps Response first let's login to our tenant using BSA:
I imported my latest scan info, then went over to the Operator Dashboard. Filter by "CVE-2017-0144", and it shows me exactly which systems have this vulnerability detected on, and that the oldest detection is 22 days old (and now in violation of SLA, being a critical vulnerability):
I scroll down and see all the systems that I can remediate.
I'm going to deselect one server, but continue with the rest:
Select "Execute Now":
Select some notifications, then hit execute now.
Isn't that easy?