none
CVE-2019-0708 (BlueKeep) exploitation RRS feed

  • Question

  • We have an SBS 2011 server that appears to require patching for CVE-2019-0708. I used the following tool to evaluate the status of the server: https://github.com/robertdavidgraham/rdpscan

    After the tool reported the server was vulnerable, my research indicated that downloading the patch for Server 2008 R2 for x64 systems from here would do the trick: https://www.catalog.update.microsoft.com/Search.aspx?q=KB4499175

    I was wrong. Upon reboot (required) after the installation of the patch, the server failed to boot, hanging at first startup (after POST), with only a cursor available on the screen. To fix it, I had to restore the server from backup. As a temporary solution I've changed the port to which RDP listens for connections.

    I would appreciate an expert helping me figure out what I missed here?


    Sy Computing


    • Edited by sycomputing Tuesday, November 12, 2019 3:04 PM
    Tuesday, November 12, 2019 3:04 PM

Answers

  • HI
    "Servicing stack updates contain the full servicing stack; as a result, typically administrators only need to install the latest servicing stack update for the operating system."

    Servicing stack updates
    https://docs.microsoft.com/en-us/windows/deployment/update/servicing-stack-updates

    Best Regards
    Andy YOU
    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by sycomputing Tuesday, November 19, 2019 3:04 PM
    Tuesday, November 19, 2019 1:59 PM
    Moderator

All replies

  • HI
    1 Is there MacAfee installed on your server ?
    2 can you run below command on SBS2011 ?
    sfc scannow
    dism /online /cleanup-image /scanhealth
    dism /online /cleanup-image /restorehealth

    Best Regards
    Andy YOU
    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, November 13, 2019 8:04 AM
    Moderator
  • Hello Andy - thank you for your response.

    We use ESET products for our A/V solution on the domain.

    Results of sfc /scannow:

    "Beginning system scan.  This process will take some time.

    Beginning verification phase of system scan.
    Verification 100% complete.

    Windows Resource Protection did not find any integrity violations."

    Results of dism /online /cleanup-image /scanhealth:

    "dism /online /cleanup-image /scanhealth

    Deployment Image Servicing and Management tool
    Version: 6.1.7600.16385

    Image Version: 6.1.7600.16385

    Error: 87

    The scanhealth option is not recognized in this context.
    For more information, refer to the help.

    The DISM log file can be found at C:\Windows\Logs\DISM\dism.log"

    It would appear my only options in this context are:

    "Deployment Image Servicing and Management tool
    Version: 6.1.7600.16385

    Image Version: 6.1.7600.16385


    /Cleanup-Image /RevertPendingActions

      WARNING! This operation will revert pending actions from previous servicing
      operations. It should be used for recovery operations only. This command
      is not supported against an online image.

        Example:
          DISM.exe /Image:C:\test\offline /Cleanup-Image /RevertPendingActions

    /Cleanup-Image /spsuperseded [/hidesp]

      WARNING! The service pack can't be uninstalled after this operation is
      completed. This operation will remove backup files created during service
      pack installation. Use /hidesp switch to hide the service pack from Installed
      Updates.

        Example:
          DISM.exe /Image:C:\test\offline /Cleanup-Image /spsuperseded /hidesp"

    Thank you for your help!


    Sy Computing

    Wednesday, November 13, 2019 1:49 PM
  • HI
    we can download System Update Readiness Tool for Windows Server 2008 R2 x64 to check our update issue below before wse2012
    System Update Readiness Tool for Windows Server 2008 R2 x64 Edition (KB947821) [October 2014]
    https://www.microsoft.com/en-us/download/details.aspx?id=14668

    Fix Windows Update errors by using the DISM or System Update Readiness tool
    https://support.microsoft.com/en-us/help/947821/fix-windows-update-errors-by-using-the-dism-or-system-update-readiness

    Best Regards
    Andy YOU
    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, November 14, 2019 2:31 AM
    Moderator
  • Thanks for your reply. I don't mind giving this a shot, but from what I've read about it I think I should wait until weekend downtime.


    Sy Computing

    Thursday, November 14, 2019 2:53 AM
  • Just to humor me Andy, would you mind double-checking my work with regard to the hotfix I tried to install for my particular issue?

    From my original post up top:

    "After the tool reported the server was vulnerable, my research indicated that downloading the patch for Server 2008 R2 for x64 systems from here would do the trick: https://www.catalog.update.microsoft.com/Search.aspx?q=KB4499175"

    What say you? Is KB4499175 the correct hotfix to install for SBS 2011? Do you know if there are any prerequisites that must first be installed before this hotfix may be?

    Thanks for confirming!


    Sy Computing

    Thursday, November 14, 2019 3:58 AM
  • HI
    we can check the prerequest in below document .
    Microsoft strongly recommends you install the latest servicing stack update (SSU) (KB4490628)for your operating system before installing the latest Rollup. SSUs improve the reliability of the update process to mitigate potential issues while installing the Rollup and applying Microsoft security fixes. 
    https://support.microsoft.com/en-gb/help/4499175

    Best Regards
    Andy YOU
    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, November 15, 2019 2:31 AM
    Moderator
  • Ok, I see the prerequisites and the fixes 4499175 replaces, but I still don't know if that's the correct patch to install for SBS2011?

    Thanks for your help.


    Sy Computing

    Friday, November 15, 2019 2:48 AM
  • HI
    yes,we can check from below document .
    "Windows Small Business Server 2011 Service Pack 1 = Windows Server 2008 R2 Service Pack 1. "
    https://blogs.technet.microsoft.com/uspartner_ts2team/2011/05/24/small-business-server-2011-with-server-2008-r2-sp1/
    Windows Server 2008 R2 for x64-based Systems Service Pack 1  security only patch is KB4499175
    https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708

    Best Regards
    Andy YOU
    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, November 15, 2019 6:07 AM
    Moderator
  • Thanks for confirming Andy! Well at least now I know I tried to install the correct patch.

    I'll try to implement your recommended fixes during downtime this weekend.


    Sy Computing

    Friday, November 15, 2019 1:23 PM
  • OK,I hope everything goes well.

    Best Regards
    Andy YOU
    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, November 18, 2019 5:25 AM
    Moderator
  • Question Andy. To your knowledge, how do the SSU's work with regard to previous SSU's?

    For example, if I install the SSU recommended for this patch, does that mean any previous SSU is superseded?


    Sy Computing

    Monday, November 18, 2019 11:50 AM
  • HI
    "Servicing stack updates contain the full servicing stack; as a result, typically administrators only need to install the latest servicing stack update for the operating system."

    Servicing stack updates
    https://docs.microsoft.com/en-us/windows/deployment/update/servicing-stack-updates

    Best Regards
    Andy YOU
    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by sycomputing Tuesday, November 19, 2019 3:04 PM
    Tuesday, November 19, 2019 1:59 PM
    Moderator
  • Hi Andy:

    Thank you for that. I haven't implemented the latest SSU in order to test whether this patch will install correctly or not, however, I'm going to mark this as answered until further notice (e.g., if the SSU kills the OS upon installation).

    Thanks for your help.


    Sy Computing

    Tuesday, November 19, 2019 3:04 PM
  • I hope everything goes well.You are welcome!

    Best Regards
    Andy YOU
    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, November 20, 2019 1:25 AM
    Moderator