Skip to content

Eliminating false positives

Arris Huijgen edited this page Dec 7, 2020 · 5 revisions

From its inception there have been challenges with the false positives that were reported by WES-NG. This is because of the frequently incomplete information that is provided by Microsoft regarding the KBs and mainly on which which patch supersedes other patches. More information about this topic here.

This page is written to investigate the output of WES-NG and greatly reduce the number of false positives by performing some investigation.

Example #1: Miguel

As an example we will use issue #17 from Miguel which systeminfo.txt file is available from the validation folder (10_1803_x64_enterprise_es-ar_20190307_systeminfo.txt).

When executing wes.py with this systeminfo.txt file, 'Windows 10 Version 1803 for x64-based Systems' is correctly identified and also all patches are correctly extracted from tye systeminfo output: KB4456655, KB4465663, KB4477029, KB4477137, KB4480979, KB4487029. According to Miguel the system is up-to-date having all patches installed to date. However, wes.py reports the following: [+] Done. Displaying 97 of the 97 vulnerabilities found.

97 vulnerabilities found on a fully patched system!? How is that possible... Let's check the summary wes.py provides.

[+] Missing patches: 4
    - KB4487017: patches 56 vulnerabilities
    - KB4345421: patches 39 vulnerabilities
    - KB4487038: patches 1 vulnerabilty
    - KB4485449: patches 1 vulnerabilty

Four patches are missing from which two patch a serious number of vulnerabilities.

Using the Microsoft Update Catalog we perform some deeper investigation. Let's start with KB4487017 which patches 56 vulnerabilities. If we search the Microsoft Update Catalog, a couple of results are returned, including the following line which matches Miguel's Operating System and architecuture: 2019-02 Cumulative Update for Windows 10 Version 1803 for x64-based Systems (KB4487017). We click the result and navigate to the Package Details tab. In this tab both the update that replaces this update is listed and a list of the updates that have been replaced (superseded) by this update.

If we take a closer look at the patch which has superseded KB4487017, we notice that this patch is KB4487029, and if we scroll up to the list of patches from systeminfo, it actually shows this patch! This means we caught a false positive and can safely ignore this result, eliminating 56 vulnerabilities. From version 0.94 wes.py includes a feature to manually specify patches that can be ignored. The commandline is as follows: wes.py systeminfo.txt -p KB4487029.

This process can be repeated for KB4345421 (wes.py systeminfo.txt -p KB4487029 KB4345421) which attributes for another 39 false positives and now we are left with only 2 vulnerabilities.

Example #2: Mats

This example is taken from the case by Mats: Issue 19 and the systeminfo file is available as an attachment to that issue (wesupdate_2019-03-07.zip).

$ wes.py systeminfo.txt -o out.csv
Windows Exploit Suggester 0.94 ( https://github.com/bitsadmin/wesng/ )
[+] Parsing systeminfo output
[+] Operating System
    - Name: Windows 10 Version 1809 for x64-based Systems
    - Generation: 10
    - Build: 17763
    - Version: 1809
    - Architecture: x64-based
    - Installed hotfixes: KB4486553, KB4470788, KB4480056, KB4487038, KB4482887
[+] Loading definitions
    - Creation date of definitions: 20190308
[+] Determining missing patches
[+] Found vulnerabilities
[+] Writing 59 results to out.csv
[+] Missing patches: 4
    - KB4487044: patches 53 vulnerabilities
    - KB4483452: patches 4 vulnerabilities
    - KB4477029: patches 1 vulnerabilty
    - KB4480979: patches 1 vulnerabilty
[+] Done. Saved 59 of the 59 vulnerabilities found.

Execution

  1. Look up all of the installed hotfixes and missing patches in the Microsoft Update Catalog and determine whether they have been superseded (and if those KBs have been superseded again).
  2. For every missing patch, determine if the latest supersedence is listed in the list of installed hotfixes. If that is the case, that patch can safely be ignored.
  3. If any of the missing patches is not superseded according to the Microsoft Update Catalog, or its supersedence is not included in the list of installed hotfixes, this KB is for some reason still missing from the system and the system is vulnerable to the vulnerabilities this KB patches.

Installed hotfixes

  • H01. KB4486553: 2019-02 Cumulative Update for .NET Framework 3.5 and 4.7.2 for Windows 10 Version 1809 for x64 (KB4486553) - not superseded
  • H02. KB4470788: 2018-11 Update for Windows 10 Version 1809 for x64-based Systems (KB4470788) - not superseded
  • H03. KB4480056: 2019-01 Cumulative Update for .NET Framework 3.5 and 4.7.2 for Windows 10 Version 1809 for x64 (KB4480056) - superseded by 2019-02 Cumulative Update for .NET Framework 3.5 and 4.7.2 for Windows 10 Version 1809 for x64 (KB4483452)
  • H04. KB4487038: 2019-02 Security Update for Adobe Flash Player for Windows 10 Version 1809 for x64-based Systems (KB4487038) - not superseded
  • H05. KB4482887: 2019-02 Cumulative Update for Windows 10 Version 1809 for x64-based Systems (KB4482887) - not superseded

Missing patches

  • M01. KB4487044: 2019-02 Cumulative Update for Windows 10 Version 1809 for x64-based Systems (KB4487044) - superseded by 2019-02 Cumulative Update for Windows 10 Version 1809 for x64-based Systems (KB4482887)
  • M02. KB4483452: 2019-02 Cumulative Update for .NET Framework 3.5 and 4.7.2 for Windows 10 Version 1809 for x64 - not superseded
  • M03. KB4477029: 2018-11 Security Update for Adobe Flash Player for Windows 10 Version 1809 for x64-based Systems (KB4477029) - superseded by 2019-02 Security Update for Adobe Flash Player for Windows 10 Version 1809 for x64-based Systems (KB4487038)
  • M04. KB4480979: 2019-01 Security Update for Adobe Flash Player for Windows 10 Version 1809 for x64-based Systems (KB4480979) - superseded by 2019-02 Security Update for Adobe Flash Player for Windows 10 Version 1809 for x64-based Systems (KB4487038)

Evaluation

  • M01. KB4487044 is superseded by KB4482887 which is installed on your system so this patch can be ignored
  • M02. KB4483452 is the supersedence of KB4480056 (see H03). KB4483452 is not installed on the system so the system is vulnerable to the issues this KB patches
  • M03. KB4477029 is superseded by KB4487038 which is installed on your system so this patch can be ignored
  • M04. KB4480979 is superseded by KB4487038 which is installed on your system so this patch can be ignored

Conclusion

Execute wes.py with the following commandline: wes.py systeminfo_2019-03-07.txt -p KB4487044 KB4477029 KB4480979 to obtain the correct results. This will (again) show that KB4483452 is not installed.