Monitor Critical Windows Updates (CVE-2018-0886)

Introduction

Microsoft announced critical security updates this week to patch remote code execution vulnerabilities in the Credential Security Support Provider protocol (CredSSP) for nearly every version of Windows.

This vulnerability allows a remote attacker to obtain remote code execution via a man-in-the-middle attack. In other words, if an attacker can get himself into the network path, then the attacker can easily compromise multiple PCs.

CVE-2018-0886

These are some useful resources for those interested in learning more about the vulnerability itself. At a high-level, the vulnerability allows an attacker to replay credentials in order to execute commands, download malware, and perform other malicious activities.

  • https://nvd.nist.gov/vuln/detail/CVE-2018-0886
  • https://support.microsoft.com/en-us/help/4093492/credssp-updates-for-cve-2018-0886-march-13-2018
  • https://www.tenable.com/plugins/nessus/108300

This vulnerability severity is rated a “High” using the CVSSv3 standard.
* https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=(AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H)

Remediation

Microsoft released updates to mitigate this vulnerability earlier this week. However, Windows updates can take time to propagate in an enterprise.

So how do we ensure that the update has been installed on our hosts?

Distributed Query

DarkBytes Collect enables ad-hoc, real-time queries to be executed across any number of hosts using the “Distributed Query” feature. This can be leveraged to provide visibility to teams responsible for patch management.

In this case, Microsoft has released the following updates to mitigate the vulnerability across various Windows versions.
* KB4088827, KB4073011, KB4089344, KB4089175, KB4089453, KB4089229, KB4087398, KB4056564, KB4088877, KB4088880, KB4088776

We’ll use this information in our query to check the patch status –

SELECT * FROM patches
WHERE hotfix_id in 
('KB4088827', 'KB4073011', 'KB4089344',
'KB4089175', 'KB4089453', 'KB4089229',
'KB4087398', 'KB4056564', 'KB4088877',
'KB4088880','KB4088776');

Now we can add this query to DarkBytes Collect by navigating to “Collect -> Distributed Queries” and clicking “Add Query.”

Next, we will click “Run” and select the hosts that we want to query. In my case, this will be a couple Windows hosts that we have at hand. Once executed, results will start to populate as the hosts retrieve and execute the query.

Right away we can see from the “Rows” column that 1 host has the patch installed and another does not. Clicking a result will drill down into another table that contains all the detailed results from the query.

Conclusion

Critical vulnerabilities that open organizations up to breaches are released every day. Today’s security and IT teams need better visibility and agility to deal with the constantly changing attack surface.