none
Brand new 2016 servers showing vulnerabilities that are patched but still showing up in scans

    질문

  • So we just stood up a brand new 2016 server Windows 1607 (OS build 14393.2339) environment, all 5 servers use the same gold image. I've fully patched them all. But when scanned, they all show vulnerabilities to the following:

    KB4056890: Windows 10 Version 1607 and Windows Server 2016 January 2018 Security Update (Meltdown)(Spectre)
    KB4074590: Windows 10 Version 1607 and Windows Server 2016 February 2018 Security Update (Meltdown)(Spectre)
    KB4093112: Windows 10 Version 1709 and Windows Server Version 1709 April 2018 Security Update (Meltdown)(Spectre)
    KB4022715: Windows 10 Version 1607 and Windows Server 2016 June 2017 Cumulative Update
    KB4025339: Windows 10 Version 1607 and Windows Server 2016 July 2017 Cumulative Update

    I've cleared all the above on one out of 5 servers, doing the exact same changes on the other 4. But they are still showing up on the remaining 4. I've tried manually running the associated KB patches directly from the Microsoft update catalog, but when I run them it says they are not applicable.

    Is there something I'm missing?

    2018년 7월 9일 월요일 오후 3:04

답변

  • Hi,

    It is unnormal to see updates KB4056890, KB4074590, KB4022715, KB4025339 in the Nessus scans, because they are superseded by the KB4338814. Besides, KB4093112 is for server2016 1709, and is superseded by KB4338825. 

    As we discussed also, these updates does not show WSUS, and cannot applied to client. It seems the process of installation from WSUS complete. Therefore, there is problem in the Nessus scans detecting rules. You may ask someone who is familiar with this tool.

    Hope this suggestion is helpful.

    Best regards,
    Johnson

    =====================
    Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • 답변으로 표시됨 jerm20201 2018년 7월 16일 월요일 오후 2:02
    2018년 7월 16일 월요일 오전 4:59

모든 응답

  • do you find any solution? I have also the same problem in some server 2016 1607 machines. 
    2018년 7월 10일 화요일 오전 4:36
  • Hi,

    Thanks for your information. 

    To avoid any misunderstanding, I want to know what does "cleared all the above (updates)" mean. Besides, could you please check the update history or the OS build of other four servers.

    If these are all fine, please running the following command:

    net stop bits
    net stop wuauserv
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v AccountDomainSid /f
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v PingID /f
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v SusClientId /f
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v SusClientIDValidation /f
    net start wuauserv
    net start bits
    wuauclt /resetauthorization /detectnow

    This avoid the same SID for different computers due to using the same gold image.

    For more details, please refer to the link:
    https://gallery.technet.microsoft.com/scriptcenter/Reset-WSUS-Authorization-2e26d1b0

    Hope it helps.

    Best regards,
    Johnson

    =====================
    Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
    2018년 7월 10일 화요일 오전 6:31
  • To avoid any misunderstanding, I want to know what does "cleared all the above (updates)" mean. Besides, could you please check the update history or the OS build of other four servers.

    As in I applied the Reg key fixes according to the KB articles and they no longer show up in the scans on one of the servers.

    When checking the other servers for updates, they only have a handful of updates showing up. But WSUS says they don't need the above updates and as I said, manually running the updates it says they are not applicable to these 4 servers.

    I'll try that command today as well and see if that helps. But our engineer who built the gold image and all the servers says he deployed the servers specifically changing the SID. But we're checking to be sure.

    Thanks for the info! Will update after I test it.



    • 편집됨 jerm20201 2018년 7월 10일 화요일 오후 2:13
    2018년 7월 10일 화요일 오후 12:48
  • Hi, 

    Does the command work?

    I recommend to sign up with administrator to install the updates.

    Best regards,

    Johnson 

    2018년 7월 11일 수요일 오전 9:59
  • The command didn't help. Our SIDs are all different. I'm running under admin.

    **EDIT**

    Sorry, these are showing up on Nessus(and other) scans, not in WSUS.

    I thought I had mentioned that.

    • 편집됨 jerm20201 2018년 7월 11일 수요일 오후 6:39
    2018년 7월 11일 수요일 오후 1:59
  • Hi,

    Check the history updates from settings>update & security> windows updates>update history:

    As we discussion, when you manually run the updates, they are not applicable to these 4 servers. It may already be installed.

    Hope it helps.

    Best regards,
    Johnson

    =====================
    Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
    2018년 7월 12일 목요일 오전 5:59
  • They all have the below installed. Including the one not showing any of the above vulnerabilities. I used cmd line systeminfo.exe to get the below installed updates.

    KB3199986

    KB4049065

    KB4089510

    KB4093137

    KB4132216

    KB4338814

    2018년 7월 13일 금요일 오후 2:40
  • Hi,

    It is unnormal to see updates KB4056890, KB4074590, KB4022715, KB4025339 in the Nessus scans, because they are superseded by the KB4338814. Besides, KB4093112 is for server2016 1709, and is superseded by KB4338825. 

    As we discussed also, these updates does not show WSUS, and cannot applied to client. It seems the process of installation from WSUS complete. Therefore, there is problem in the Nessus scans detecting rules. You may ask someone who is familiar with this tool.

    Hope this suggestion is helpful.

    Best regards,
    Johnson

    =====================
    Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • 답변으로 표시됨 jerm20201 2018년 7월 16일 월요일 오후 2:02
    2018년 7월 16일 월요일 오전 4:59