/build/static/layout/Breadcrumb_cap_w.png

WannaCry - Check Vulnerability with KACE SMA now!

Hi all, 

a quick note how to prove the vulnerability to be attacked by WannaCry (LinktoBBC).
Of course you can check the KB or Package Numbers in your patch catalog (Single Patches) - you should do that as well. 

But to have a very quick check you can use the OVAL Scan with the CVE-Number.

And build yourself a report (break on 'CVE Number'):

SELECT MACHINE.NAME AS Computer,
       MACHINE.LAST_INVENTORY AS `Last Inventory`,
       OVAL_DEFINITION.SOURCE AS `CVE Number`
  FROM (OVAL_STATUS OVAL_STATUS
        INNER JOIN KBSYS.OVAL_DEFINITION OVAL_DEFINITION
           ON (OVAL_STATUS.OVAL_DEFINITION_ID = OVAL_DEFINITION.ID))
       INNER JOIN MACHINE MACHINE
          ON (OVAL_STATUS.MACHINE_ID = MACHINE.ID)
 WHERE (    OVAL_STATUS.RESULT = 'VULNERABLE'
        AND OVAL_DEFINITION.SOURCE IN ('CVE-2017-0143',
                                       'CVE-2017-0144',
                                       'CVE-2017-0145',
                                       'CVE-2017-0146',
                                       'CVE-2017-0147',
                                       'CVE-2017-0148'))
ORDER BY Computer ASC, `CVE Number` ASC




Hope i could help :)

Timo

Comments

  • Thanks Timo! Note that most people have ORG1, not ORG6 so everybody with a single org SMA should change this... - chrpetri 6 years ago
    • Thanks chrpetri,
      modified the code so that it could run on everyones org / appliance :) - Timokirch 6 years ago
  • Changes the filter from ID's to userreadable CVE numbers. Now you can change the report for upcoming vulnaribilities. ;) - Timokirch 6 years ago
  • So I created a report usl SQL added code and ran. None show up? I'm prob doing it wrong? - Predator04 6 years ago
    • An empty report means that you don't have any device in your SMA with one of this CVE-Numbers marked as VULNERABLE.

      Reasons:
      a.) you are up to date :)
      b.) you didn't run an OVAL scan - Timokirch 6 years ago
      • My OVAL catalog is up to date and I ran a scan on a system that I know doesn't have the patch installed, but I'm still not getting any results. - chucksteel 6 years ago
      • [Tue May 16 6:04:51 PDT 2017] [notice] KOVALDefsUpdater - Reading latest OVAL info from KACE...
        [Tue May 16 6:04:51 PDT 2017] [notice] curl error: Failed to connect to service.kace.com port 443: Connection refused

        [Tue May 16 6:04:51 PDT 2017] [notice] KOVALDefsUpdater - Failed to open KB_OVAL_DEFS_URL.
        [Tue May 16 6:04:51 PDT 2017] [notice] KOVALDefsUpdater - http status:
        [Tue May 16 6:04:51 PDT 2017] [notice] KOVALDefsUpdater - no http headers returned.
        [Tue May 16 6:04:51 PDT 2017] [notice] KOVALDefsUpdater - Complete.

        any idea whats going on? - Predator04 6 years ago
      • i would suggest both of you to contact quest support

        https://support.quest.com/contact-support - Timokirch 6 years ago
      • once i get this fixed what do I need to do to run this? Thank you! - Predator04 6 years ago
      • OK so oval is updated but nothing is showing up? Any idea? - Predator04 6 years ago
  • I am not seeing that in my patch catalog. Even with downloading the patches "NOW".

    Also just noticed the following:Your patch subscription has expired. Please contact support for assistance. - tmac0701 6 years ago
    • If your patch subscription has expired please reach out to your local sales person for a renewal. If you are in active maintenance then please create a ticket here: https://support.quest.com/contact-support - Timokirch 6 years ago
  • Trying run this report and also coming up with nothing. Patch catalog tells a different story. Win7 about 91% compliant Win 10 50%. Please help. - jrbartes 6 years ago
    • HI jrbartes,
      thanks for your feedback. Please note that there are multiple patches in the catalog solving this problem.

      If you think this is a misbehavior than you should contact support > https://support.quest.com/contact-support - Timokirch 6 years ago
  • Tried support. They pointed me to your article here. Thank you. - jrbartes 6 years ago
  • I see a difference in patch compliance and if i look in machine ( software title ) filed. Is there something wrong. No result on OVAL as suggested by thread starter ( ORG1 was changes) - rock_star 6 years ago
This post is locked
 
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ