Last updated at Mon, 25 Sep 2017 13:48:09 GMT
In light of the recent WannaCry Ransomware attacks, I thought it'd be great to share ways of finding out which assets are susceptible to this attack.
1) Create a custom scan template to check for MS17-010
The easiest way to create a Custom template is by making a copy of an existing template Administration -> Templates -> Click: Manage Templates -> Copy: Full audit enhanced logging without Web Spider -> IMPORTANT: Name your copy of the Scan Template -> Click: Vulnerability Checks -> Click: By Individual Check -> Add Check -> Enter: MS17-010
(As of 5/15/17 there are 192 individual checks)
*Be sure to remove all checks from the "By Category" and "By Check Type" sections to ensure that only the individual checks are loaded for the scan(s).
2) If you want to create a Dynamic Asset Group (DAG) for assets vulnerable to this attack:
Create a new DAG with the following filters:
- 'CVE ID' 'is' CVE-2017-0143
- 'CVE ID' 'is' CVE-2017-0144
- 'CVE ID' 'is' CVE-2017-0145
- 'CVE ID' 'is' CVE-2017-0146
- 'CVE ID' 'is' CVE-2017-0147
- 'CVE ID' 'is' CVE-2017-0148
Change "Match (all) of the specified filters." to "Match (any) of the specified filters."
You should then have a result of all assets that have ANY of those CVEs specified above.
3) You can also create a SQL report to list ANY asset affected by ANY of the 6 CVEs:
SELECT da.ip_address AS "IP Adress", da.host_name AS "Host Name", dv.title AS "Title", dv.description AS "Description", dv.severity AS "Severity" FROM dim_vulnerability dv JOIN dim_asset_vulnerability_solution das USING(vulnerability_id) JOIN dim_asset da USING(asset_id) WHERE title ILIKE '%2017-0143%' OR title ILIKE '%2017-0144%' OR title ILIKE '%2017-0145%' OR title ILIKE '%2017-0146%' OR title ILIKE '%2017-0147%' OR title ILIKE '%2017-0148%'
(Please keep in mind that it will list every instance of any of the CVEs in question.)
There are currently 32 checks for each CVE, there are 6 CVEs; a total of 192 checks. However, an asset should not list more than one check for each CVE which should result at most 6 instances per asset.
You can create a SQL query to check for only the count or unique instances that way the report contains less rows.