Yesterday evening (15may2019) CVE-2019-0708 was removed from the May Security Update (QID=91529), in favor of it's own QID=91534. Because of the change, we must wait for our subscription to come back into sync again, however based on yesterday/today prelim numbers we are only seeing one flavor of this issue in our subscription, despite having a limited number of Server 2008 R2, SP2 hosts.
Wondering whether others are seeing only one flavor, or both?
Per the MS document below, there should be two main patch/flavors, labeled 1 & 2 below.
In our environment we see flavor #1, but not #2.
In our environment we see flavor #1, but not #2.
1. KB4499164 (monthly rollup) / KB4499175 (security only) <-- Windows 7 / Server 2008 R2, SP1
2. KB4499149 (monthly rollup) / KB4499180 (security only) <-- Server 2008 R2, SP2
2. KB4499149 (monthly rollup) / KB4499180 (security only) <-- Server 2008 R2, SP2
### TAG=CVE-2019-0708-flav1
import java.util.regex.Matcher
if(asset.getAssetType()!=Asset.AssetType.HOST) return false;
if (asset.resultsForQid(91534L) =~ /(KB4499164|KB4499175)\s+/) {
return true;
}
return false;
### TAG=CVE-2019-0708-flav2
import java.util.regex.Matcher
if(asset.getAssetType()!=Asset.AssetType.HOST) return false;
if (asset.resultsForQid(91534L) =~ /(KB4499149|KB4499180)\s+/) {
return true;
}
return false;
import java.util.regex.Matcher
if(asset.getAssetType()!=Asset.AssetType.HOST) return false;
if (asset.resultsForQid(91534L) =~ /(KB4499149|KB4499180)\s+/) {
return true;
}
return false;
For completeness, adding links:
Blog post: Windows RDP Remote Code Execution Vulnerability (BlueKeep) – How to Detect and Patch
Discussion thread: CVE-2019-0708