locked
Metadata signature RRS feed

  • Question

  • Hi all,

    Following the talk at SSTIC about WSUS updates injection (https://www.sstic.org/2017/presentation/wsus_pendu/  - in french; but will be presented at BHUSA17 https://www.blackhat.com/us-17/briefings.html#wsuspendu-how-to-hang-wsus-clients) I have been looking at metadata signatures.

    It seems that ClientWebService/SyncUpdates provides an undocumented "Verification" field in UpdateInfo; linked with the SLS mechanism (also undocumented).  (from MS upstream servers)

    <Verification Algorithm="SHA256" LeafCertificateId="2" Signature="RJyoofuo5wXz[...]w==" Timestamp="2017-06-09T18:28:03.49Z"/>

    However this information is not present with ServerSyncWebService/GetUpdateData.

    Then, 

    • Is there a way to get these signatures when doing WSUS synchronization with MS servers?
    • Is there any documentation related to this Verification field and/or SLS?
    • Will WSUS send that information to its clients?
    • Is there a way to enforce the signature policy in enterprise environments?

    Thanks

    Monday, June 19, 2017 9:45 AM

Answers

  • Hi JB-G,

    We are trying to find related information to your question, while seems there's no official article related with the topic, and seems it is certification technology related.

    As for the WSUS aspect, do you configuring SSL for the WSUS server and meet some specific issues, are you trying to resolve the SSL issue?

    If you only want to research the topics deeply, then I would suggest you open a case with MS, so that you may get more professional information and solution.

    https://support.microsoft.com/en-us/gp/support-options-for-business

    Thanks for your understanding about the limited help we could provide here.

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.



    Wednesday, June 21, 2017 9:13 AM