Microsoft Patch Tuesday for May 2021 addressed 55 vulnerabilities including a zero-day critical HTTP Protocol Stack Remote Code Execution vulnerability tracked as CVE-2021-31166. This patch corrects a bug that could allow an unauthenticated attacker to remotely execute code by simply sending a specially crafted packet to an affected server. This is what makes this bug wormable, which means it could be moved from victim to victim.
Security patch deployment is one of the hardest tasks for an IT organization of any size. Even after it’s deployed, you can’t always be sure all machines have been up at the time of deployment, exposing these machines and the entire network to risk.
To quickly mitigate risk and contain exposure to the CVE-20121-31166 vulnerability, divide your machines into 3 groups and patch by criticality:
1. Patch the highest risk machines first – Machines that are unpatched and exposed to the Internet.
2. Block port 443 for machines that are unpatched but are also not using 443. This is usually quite a big group and can be patched later.
3. Patch the group of machines that are unpatched, use port 443 but are internal.
This allows organizations to focus the patching effort from tens of thousands of servers to a few hundreds or even less, while completely controlling the risk and exposure.
How to resolve in less than an hour
We’ll be using Guardicore’s three core capabilities – Insight to query endpoints and servers, Reveal interdependency mapping and Policy to mitigate with policies.
Deal with the highest risk first: Unpatched, Exposed to Internet (443)
1. Using Guardicore Insight, write a simple SQL query to track the unpatched machines that are vulnerable to KB5003173 (CVE-2121-31166):
Insight returns a list of the unpatched machines within seconds:
2. Put a label on these unpatched machines, in this example we used KB5003173:Yes
Note: You can also make the query and labeling periodic, so if new machines come up unpatched they will be automatically labeled.
3. Use Reveal to create a map and filter it by the label we’ve just created and by machines that are exposed to the internet (over port 443). The machines that pose the most risk are those that are unpatched and receive connections from the internet:
Next, deal with unpatched machines that are not using port 443
Once we validate that there are no high risk machines – namely, unpatched and exposed to the internet- we can deal with the second group of machines.
1. A good point to start would be to find all the machines that are unpatched but also do not communicate over 443. For them we can just block this port to kill the risk and patch them later. This can be achieved by filtering the map again by NOT Destination Port 443 and labeling them as NotUsing443.
2. Then add a simple Override Block rule as shown below:
Last, patch the vulnerable (unpatched) machines that use 443 but are not exposed to the Internet
Patch the machines that use 443 but are internal (not exposed to the Internet). Once all machines have been patched, you can remove the labels and the rules.
Taking this gradual approach to patching provides a simple and highly effective way to deal with a major security issue with a risk- aware approach.