Automated Patching of Microsoft Wormable RDP Vulnerabilities

Patching is a huge part of managing IT infrastructure. It can consume a large part of IT operation’s time and energy. However, this is one area where automation and automated processes can really shine when it comes to keeping patches and other software up-to-date. Recently, in the past few days, Microsoft has alerted end users and fixed two wormable RDP vulnerabilities as part of a large patch Tuesday release containing fixes for the RDP vulnerabilities. This comes on the heels of many semi-recent RDP vulnerabilities that Microsoft has patched before. How can you automate the remediation of these RDP vulnerabilities disclosed by Microsoft? Let’s look at automated patching of Microsoft wormable RDP vulnerabilities and see how this can be done quickly and easily across even a large number of Windows Servers.

Affected Microsoft Operating Systems with the new RDP Vulnerability

Affected OS’es include:

• Windows 7 SP1, Windows Server 2008 R2 SP1, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, and all supported versions of Windows 10, including server versions

Microsoft Patches for Wormable RDP Vulnerability

The following links provide Microsoft links to relevant patches for the vulnerabilities:

• https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1181
• https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1182

Automated Patching of Microsoft Wormable RDP Vulnerabilities

If you have a large number of servers, there is no question that automation is going to be your friend. There are three ways you can take advantage of automation with your patching initiatives to provide automated patching of Microsoft wormable RDP vulnerabilities and any other security vulnerabilities that may come up. There are three approaches to automated patching of microsoft wormable RDP vulnerabilities:

• Windows Server Update Services – WSUS
• Automated Windows Server patching with Ansible
• Use PSWindowsUpdate PowerShell module

Windows Server Update Services WSUS

Windows Server Update Services or WSUS has been around forever it seems as hasn’t seen a lot of changes over the past several years with the various Windows Server versions released. I have lost a bit of confidence running the WSUS server in recent times as I have definitely seen flakiness with the service and issues since Microsoft has changed it approach on patching and so forth. The landscape is certainly trickier with WSUS with newer OS’es like Windows 10. I am not saying it can’t be managed with WSUS as this is still the best Microsoft solution to approach automated patching.

Take a look at my post here on how to Install and Configure Windows Server 2016 WSUS.

Automated Windows Server Patching with Ansible

I am a big fan of automating processes with Ansible. Ansible is a great multi-purpose automation tool that allows you to interact with both Linux and Windows Servers easily and perform manual tasks and process in an automated way.

Ansible interacts with Windows via the WinRM service that communicates over WS-MAN with Windows Servers. WinRM was introduced in Windows Vista and higher. WinRM allows Ansible to use PowerShell to make changes and configuration of Windows Servers/workstations.

I have covered the topic of how to manage Windows Servers with Ansible in the post: Manage and Configure Windows Servers with Ansible Tower

In general you:

• Install Ansible
• Make sure you have Kerberos authentication configured as I covered in this post: Configure Ansible Windows Server Kerberos authentication in Ubuntu

Once you have Ansible setup and Kerberos authentication configured for authenticating to your Windows Servers, you can use the following playbook to easily pull the latest Windows Updates and install on Windows Server. It uses the win_updates Ansible module to install patches.

---

- name: Search-only, return list of found updates (if any), log to c:\ansible_wu.txt
  win_updates:
   state: searched
   log_path: c:\ansible_wu.txt
- name: install all critical and security updates
  win_updates:
   category_names:
   - CriticalUpdates
   - SecurityUpdates
   - UpdateRollups
   state: installed
  register: update_result

- name: reboot host if required
  win_reboot:
  when: update_result.reboot_required

As you see above, the win_updates module has a few parameters including category_names that includes:

• A scalar or list of categories to install updates from. To get the list of categories, run the module with state=searched. The category must be the full category string, but is case insensitive.Some possible categories are Application, Connectors, Critical Updates, Definition Updates, Developer Kits, Feature Packs, Guidance, Security Updates, Service Packs, Tools, Update Rollups and Updates.
• So with this, you can only install security updates if you want to ensure minimal changes outside of getting the latest security patches.

This allows you to roll through all the Windows Servers that you have in your inventory file and easily get the latest Windows Server patches installed in your organization.

Use PSWindowsUpdate PowerShell module

Another great tool for Automated Patching of Microsoft Wormable RDP Vulnerabilities and other security vulnerabilities is the Use PSWindowsUpdate PowerShell module.

Installing the module and running it is simple enough by running three short PowerShell one-liners.

Get-PackageProvider -name nuget -force
Install-Module PSWindowsUpdate -confirm:$false -force

A simple run of the cmdlet might look like this:

• Get-WindowsUpdate -Install -acceptall -IgnoreReboot

The module is extremely flexible and provides a number of important parameters to control the updates that are installed, the reboot behavior, etc, as seen by the parameters available below:

Get-WindowsUpdate [-AcceptAll <SwitchParameter>] [-AutoReboot <SwitchParameter>] [-AutoSelectOnly
    <SwitchParameter>] [-AutoSelectOnWebSites <SwitchParameter>] [-BrowseOnly <SwitchParameter>] [-Category
    <string[]>] [-CategoryIDs <string[]>] [-ComputerName <string[]>] [-Criteria <string>] [-Debuger <SwitchParameter>]
    [-DeploymentAction <string>] [-Download <SwitchParameter>] [-ForceDownload <SwitchParameter>] [-ForceInstall
    <SwitchParameter>] [-Hide <SwitchParameter>] [-IgnoreReboot <SwitchParameter>] [-IgnoreRebootRequired
    <SwitchParameter>] [-IgnoreUserInput <SwitchParameter>] [-Install <SwitchParameter>] [-IsAssigned
    <SwitchParameter>] [-IsHidden <SwitchParameter>] [-IsInstalled <SwitchParameter>] [-IsPresent <SwitchParameter>]
    [-KBArticleID <string[]>] [-MaxSize <long>] [-MinSize <long>] [-NotCategory <string[]>] [-NotKBArticleID
    <string[]>] [-NotSeverity <string[]>] [-NotTitle <string>] [-NotUpdateID <string[]>] [-PSWUSettings <Hashtable>]
    [-RecurseCycle <int>] [-RevisionNumber <int>] [-RootCategories <string[]>] [-ScheduleJob <DateTime>]
    [-ScheduleReboot <DateTime>] [-SendHistory <SwitchParameter>] [-SendReport <SwitchParameter>] [-ServiceID
    <string>] [-Severity <string[]>] [-ShowPreSearchCriteria <SwitchParameter>] [-Title <string>] [-UpdateID
    <string[]>] [-UpdateType <string>] [-WithHidden <SwitchParameter>] [<CommonParameters>]

Wrapping Up

IT admins must make the patching of the new wormable RDP vulnerability a priority. If you have any number of Windows Servers in your environment, Automated Patching of Microsoft Wormable RDP Vulnerabilities can save a tremendous amount of time and manual effort to get the latest security patches applied to the Windows Servers in your environment. If you are using WSUS, then make sure you are rolling out these security patches. Ansible and PSWindowsUpdate module provide great ways to also automate the process of applying the RDP vulnerability patches.