locked
WSUS Exports, how to do Metadata and Patch file validation? RRS feed

  • Question

  • Hi

    I’m trying to find out how to implement validation of exported WSUS update files and metadata before I move them to offline WSUS server (network without any internet connection). System OS versions that using are Windows 10 and Server 2016. Also the versions that i'm using WSUS to patch.

    Case:
    The case is that I have an internet connected WSUS server (2016) that is the WSUS “Upstream” server that downloads the files. After that the update files and metadata are exported with WSUSutil.exe. So now I have WSUS patch files and metadata.  How to validate the exported files?

    Process:

    |Export | -> | Patch file validation| -> |Import To Offline WSUS|        -> |Profit|
                | -> | Metadata validation| ->  |Import To Offline WSUS |      -> |

    Questions:
    -How can I validate that the update files are in fact really signed with Microsoft certificate without going through them manually? Does Windows 10/Server and Office use different signing certificate? Does the validation require internet connection?

    -How can I validate WSUS metadata export file? Does the WSUS server need to be a specific version to do this?

    I did see the Black Hat 2017 presentation:  WSUSpendu: How to Hang WSUS Clients (https://www.blackhat.com/us-17/briefings.html#wsuspendu-how-to-hang-wsus-clients) they use a scary way the WSUS metadata as an attack vector. At the very end there was some indication that Microsoft have implemented some security model in Windows 10 1703 addressing the metadata signature issue (metadataintegrity ?). Is there a document available or can this even be used for metadata validation?


    I appreciate all the comments on solving this problem 
    -PurkkaPallo






    • Edited by Purkkapallo Saturday, February 17, 2018 9:57 PM
    Saturday, February 17, 2018 7:44 PM

All replies

  • Hi,

    >>How can I validate WSUS metadata export file? Does the WSUS server need to be a specific version to do this?

    AFAIK ,there is no such way to do that .

     

    >> Does Windows 10/Server and Office use different signing certificate?

    Generally , we do not need to consider update file which downloaded from Microsoft .

    >>Does the validation require internet connection?

    No . The root certs had been added into OS when the OS was installed .

     

    >>Microsoft have implemented some security model in Windows 10 1703 addressing the metadata signature issue (metadataintegrity ?). Is there a document available or can this even be used for metadata validation?

    Bit , I didn't find such article which detailed this security model .

    If you concern the security during the exported file transferring , you may consider using other way to ensure the  integrity , such as , MD5 hash .

    Hope it is useful to you.

    Best Regards,

    Yan Li


    Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, February 19, 2018 9:10 AM
  • >>>>How can I validate WSUS metadata export file? Does the WSUS server need to be a specific version to do this?

    >>AFAIK ,there is no such way to do that .

    Darn, need to try to see from the export file is there something than can be used >> Generally , we do not need to consider update file which downloaded from Microsoft .

    From the point of view of the disconnected network the patch file just did come “somewhere” and need to be verified.

    >>>>Microsoft have implemented some security model in Windows 10 1703 addressing the metadata signature issue (metadataintegrity ?). Is there a document available or can this even be used for metadata validation?

    >>Bit , I didn't find such article which detailed this security model .

    Your correct, i may have misunderstand. I did watch again the WSUSpendu How to WSUS Hang its Clients (BlackHat presentation at the point 43:38). The fix/remodeling was a Win 10 change. Sorry for misleading.

    >>If you concern the security during the exported file transferring, you may consider using other way to ensure the  integrity , such as , MD5 hash 

    Now I’m trying to get some validation trying to write a PowerShell script using Get-AuthenticodeSignature, as the certification validation but also validating that the signer is Microsoft in the Common Name. Because really bad at scripting, it taking me time to learn.

    Problem in this design is that if the file is signed with two signatures (SHA 1 and SHA256) Get-AuthenticodeSignature only get the first one what is the SHA1. SHA1 is not secure (e.g blogs technet,  sha1-users-guide). But in the other hand is close enough because the WSUS server and client also validates each update files signature. Not sure are they using SHA1 or SHA 256 for that.

    So still little bit lost still…

    P.s The Sysinternals sigcheck would be the answer for only few files.

    Thursday, February 22, 2018 6:30 PM