December 12, 2019

How to Ensure that the Wannacry Patch is Properly Installed

They say WannaCrypt doesn’t infect XP machines but looks like the problem appears with no Wanna cry patch on Windows 7 machines. We saw the crippling cyber attack by paralyzing servers in the British hospitals, while the UK NHS claimed their devices had not been updated for WannyCry.

During that time Microsoft’s argument was “that Windows 10 users were not compromised,” although we can not verify that claim, it is clear that WannaCry’s Windows patcher installed was not hacked.

The WannaCrypt ransomware uses one of the flaws in the patch MS17-010. Computers without WannaCry window fixes are at increased risk due to several malware strains.

In a large organization with hundreds of Window computers, it may be taxable to check the correct patch for WannaCry.

Security patch MS17–010 fixes a range of Windows SMB v1 vulnerabilities exploited by ransomware WannaCrypt.

How to make sure all Windows 7 computers are correctly patched for WannaCry, and it will be a good thing if you have those KB numbers.
The KB containing this update varies between versions of Windows and could sometimes be included in service packs or cumulative updates: it can be taxable!

However, the other way to check the correct patching:

The MS17–010 installs a patched version of %systemroot%\system32\drivers\srv.sys.

You can check the file version and compare it with this list:

Windows XP: 5.1.2600.7208
Windows Server 2003 SP2: 5.2.3790.6021
Windows Vista,Windows Server 2008 SP2: GDR:6.0.6002.19743, LDR:6.0.6002.24067
Windows 7, Windows Server 2008 R2: 6.1.7601.23689
Windows 8, Windows Server 2012:6.2.9200.22099
Windows 8.1, Windows Server 2012 R2: 6.3.9600.18604
Windows 10 TH1 v1507: 10.0.10240.17319
Windows 10 TH2 v1511: 10.0.10586.839
Windows 10 RS1 v1607,Windows Server 2016: 10.0.14393.953

If the version installed on our system is equal or major of the version in the list, the OS is correctly patched.

Automate it!

The srv.sys file version can be simply extracted using wmic:

C:>WMIC DATAFILE WHERE name="c:\windows\system32\drivers\srv.sys" get Version /format:Textvaluelist

Output on Windows 10

The above command can be included in a batch script that compare the correct version of the file.

Visit the Microsoft support that has a powershell script that automate the entire process:

[reflection.assembly]::LoadWithPartialName("System.Version")
$os = Get-WmiObject -class Win32_OperatingSystem
$osName = $os.Caption
$s = "%systemroot%\system32\drivers\srv.sys"
$v = [System.Environment]::ExpandEnvironmentVariables($s)
If (Test-Path "$v")
{
Try
{
$versionInfo = (Get-Item $v).VersionInfo
$versionString =
"$($versionInfo.FileMajorPart).$($versionInfo.FileMinorPart).$($versionInfo.FileBuildPart).$($versionInfo.FilePrivatePart)"
$fileVersion = New-Object System.Version($versionString)
}
Catch
{
Write-Host "Unable to retrieve file version info, please verify vulnerability state manually." -ForegroundColor Yellow
Return
}
}
Else
{
Write-Host "Srv.sys does not exist, please verify vulnerability state manually." -ForegroundColor Yellow
Return
}
if ($osName.Contains("Vista") -or ($osName.Contains("2008") -and -not $osName.Contains("R2")))
{
if ($versionString.Split('.')[3][0] -eq "1")
{
$currentOS = "$osName GDR"
$expectedVersion = New-Object System.Version("6.0.6002.19743")
}
elseif ($versionString.Split('.')[3][0] -eq "2")
{
$currentOS = "$osName LDR"
$expectedVersion = New-Object System.Version("6.0.6002.24067")
}
else
{
$currentOS = "$osName"
$expectedVersion = New-Object System.Version("9.9.9999.99999")
}
}
elseif ($osName.Contains("Windows 7") -or ($osName.Contains("2008 R2")))
{
$currentOS = "$osName LDR"
$expectedVersion = New-Object System.Version("6.1.7601.23689")
}
elseif ($osName.Contains("Windows 8.1") -or $osName.Contains("2012 R2"))
{
$currentOS = "$osName LDR"
$expectedVersion = New-Object System.Version("6.3.9600.18604")
}
elseif ($osName.Contains("Windows 8") -or $osName.Contains("2012"))
{
$currentOS = "$osName LDR"
$expectedVersion = New-Object System.Version("6.2.9200.22099")
}
elseif ($osName.Contains("Windows 10"))
{
if ($os.BuildNumber -eq "10240")
{
$currentOS = "$osName TH1"
$expectedVersion = New-Object System.Version("10.0.10240.17319")
}
elseif ($os.BuildNumber -eq "10586")
{
$currentOS = "$osName TH2"
$expectedVersion = New-Object System.Version("10.0.10586.839")
}
elseif ($os.BuildNumber -eq "14393")
{
$currentOS = "$($osName) RS1"
$expectedVersion = New-Object System.Version("10.0.14393.953")
}
elseif ($os.BuildNumber -eq "15063")
{
$currentOS = "$osName RS2"
"No need to Patch. RS2 is released as patched. "
return
}
}
elseif ($osName.Contains("2016"))
{
$currentOS = "$osName"
$expectedVersion = New-Object System.Version("10.0.14393.953")
}
elseif ($osName.Contains("Windows XP"))
{
$currentOS = "$osName"
$expectedVersion = New-Object System.Version("5.1.2600.7208")
}
elseif ($osName.Contains("Server 2003"))
{
$currentOS = "$osName"
$expectedVersion = New-Object System.Version("5.2.3790.6021")
}
else
{
Write-Host "Unable to determine OS applicability, please verify vulnerability state manually." -ForegroundColor Yellow
$currentOS = "$osName"
$expectedVersion = New-Object System.Version("9.9.9999.99999")
}
Write-Host "`n`nCurrent OS: $currentOS (Build Number $($os.BuildNumber))" -ForegroundColor Cyan
Write-Host "`nExpected Version of srv.sys: $($expectedVersion.ToString())" -ForegroundColor Cyan
Write-Host "`nActual Version of srv.sys: $($fileVersion.ToString())" -ForegroundColor Cyan
If ($($fileVersion.CompareTo($expectedVersion)) -lt 0)
{
Write-Host "`n`n"
Write-Host "System is NOT Patched" -ForegroundColor Red
}
Else
{
Write-Host "`n`n"
Write-Host "System is Patched" -ForegroundColor Green
}

Set the execution policy to ‘unrestricted’ in order to correctly execute the script.

 

Leave a Reply

Your email address will not be published. Required fields are marked *