<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<i></i>
Share on facebook
</div>
</div>
<div>
<div>
<i></i>
Share on twitter
</div>
</div>
<div>
<div>
<i></i>
Share on linkedin
</div>
</div>
</div>
</div>
</div>
<div>
<div>
<h2>Introduction</h2> </div>
</div>
<div>
<div>
<div>
<p>Microsoft Patch Tuesday for May 2021 addressed 55 vulnerabilities including a zero-day critical HTTP Protocol Stack Remote Code Execution vulnerability tracked as <a href="https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31166" rel="noreferrer" target="_blank">CVE-2021-31166</a>. This patch corrects a bug that could allow an unauthenticated attacker to <strong>remotely execute code by simply sending a specially crafted packet to an affected server.</strong> This is what makes this bug wormable, which means it could be moved from victim to victim.<br /></p><p>Security patch deployment is one of the hardest tasks for an IT organization of any size. Even after it’s deployed, you can’t always be sure all machines have been up at the time of deployment, exposing these machines and the entire network to risk.</p><p>To quickly mitigate risk and contain exposure to the CVE-20121-31166 vulnerability, divide your machines into 3 groups and patch by criticality: <br /><br />1. <b>Patch the highest risk machines first – </b>Machines that are <b>unpatched and exposed to the Internet</b>. <br /><br />2. <b>Block port 443</b> for machines that are <b>unpatched but are also not using 443. This is usually quite a big group and can be patched later. </b><b><br /></b><br />3. <b>Patch the group of machines that are unpatched, use port 443 but are internal.</b> </p><p>This allows organizations to focus the patching effort from tens of thousands of servers to a few hundreds or even less, while completely controlling the risk and exposure.</p> </div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<h2>How to resolve in less than an hour</h2> </div>
</div>
<div>
<div>
<div>
<p>We’ll be using Guardicore’s three core capabilities –<b> Insight</b> to query endpoints and servers, <b>Reveal </b>interdependency mapping and<b> Policy</b> to mitigate with policies. </p> </div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<h3>Deal with the highest risk first: Unpatched, Exposed to Internet (443)</h3> </div>
</div>
<div>
<div>
<div>
<p>1. Using Guardicore Insight, write a simple SQL query to track the <b>unpatched machines</b> that are vulnerable to KB5003173 (CVE-2121-31166): </p> </div>
</div>
</div>
<div>
<div>
<div>
<img alt="" height="238" src="https://www.guardicore.com/wp-content/uploads/Query-1024x304.png" width="800" /> Run a query with Guardicore Insight
</div>
</div>
</div>
<div>
<div>
<div>
<p>Insight returns a list of the unpatched machines <b>within seconds: </b></p> </div>
</div>
</div>
<div>
<div>
<div>
<img alt="" height="705" src="https://www.guardicore.com/wp-content/uploads/blog-blur-image-4June2021.png" width="785" /> List of unpatched machines
</div>
</div>
</div>
<div>
<div>
<div>
<p>2. Put a label on these unpatched machines, in this example we used <i>KB5003173:Yes</i></p><p><strong>Note:</strong> You can also make the query and labeling periodic, so if new machines come up unpatched they will be automatically labeled.</p> </div>
</div>
</div>
<div>
<div>
<div>
<p>3. Use Reveal to create a map and filter it by the label we’ve just created and by machines that are exposed to the internet (over port 443). The machines that pose the most risk <b>are those that are unpatched and receive connections from the internet:</b><b><br /></b></p> </div>
</div>
</div>
<div>
<div>
<div>
<img alt="" height="265" src="https://www.guardicore.com/wp-content/uploads/Internet-Connections.png" width="800" /> Filter by Internet Connection
</div>
</div>
</div>
<div>
<div>
<div>
<img alt="" height="305" src="https://www.guardicore.com/wp-content/uploads/Label-KB.png" width="800" /> Filter by Label
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<h3>Next, deal with unpatched machines that are not using port 443</h3> </div>
</div>
<div>
<div>
<div>
<p>Once we validate that there are no high risk machines – namely, unpatched and exposed to the internet- we can deal with the second group of machines. <br /><br />1. A good point to start would be to find all the machines that are unpatched but also do <em>not</em> communicate over 443. For them we can just<b> block this port </b>to kill the risk and patch them later. This can be achieved by filtering the map again by NOT Destination Port 443 and labeling them as NotUsing443.<i><br /></i><i><br /></i>2. Then add a simple Override Block rule as shown below: </p> </div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<img alt="" height="168" src="https://www.guardicore.com/wp-content/uploads/Block-Rule-Modified-1024x215.png" width="800" /> A single policy blocks machines not using Port 443 from accessing it
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<h3>Last, patch the vulnerable (unpatched) machines that use 443 but are not exposed to the Internet</h3> </div>
</div>
<div>
<div>
<div>
<p>Patch the machines that use 443 but are internal (not exposed to the Internet). Once all machines have been patched, you can remove the labels and the rules.</p> </div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<h2>In Sum:</h2> </div>
</div>
<div>
<div>
<div>
<p>Taking this gradual approach to patching provides a simple and highly effective way to deal with a major security issue with a risk- aware approach.</p> </div>
</div>
</div>
<div>
<div>
<div>
<a href="https://www.guardicore.com/contact-us/" rel="noreferrer" target="_blank">
Talk to us for more information!
</a>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
Article Link: When a Zero Day Strikes, Be Smart about Which Machines You’re Patching First - Guardicore