InsightVM flags windows devices with superceded patches

endlessknot · June 25, 2020, 12:39am

Hi all,

Our InsightVM flags windows devices with superceded patches.

See this screenshot below:

Superceded

Am curious to find out if any peers are running into InsightVM reporting Superseded Windows Patches in their Vulnerability Reports.

Would like to know how you resolved it.

Thank you.

brandon_mcclure · June 25, 2020, 2:38am

You are correct in that the provided solution does suggest a patch that has been superseded, but there is a useful piece of information that I don’t see in IVM that is in Nexpose and that is the proof column of the affected Assets. This column indicates why the asset got tagged with this Vulnerability.
On an Assets that has the superseded patch, can you check these reg keys? If they match this that is why they are getting flagged.

Vulnerable OS: Microsoft Windows Server 2016 Standard Edition 1607

Based on the following 2 results:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
- CurrentBuild - contains 14393
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
- UBR - contains 3686

Rapid7 InsightVM Team, Can this column be included in the report like it is in Nexpose?

endlessknot · June 25, 2020, 2:44am

“On an Assets that has the superseded patch, can you check these reg keys? If they match this that is why they are getting flagged.”

So how can I remediate this and not get flagged by IVM ?

brandon_mcclure · June 25, 2020, 3:12am

I would add an Exception stating that it is a False Positive (this is allowed even under PCI) but I only know where to do this in Nexpose, I don’t see the option in IVM.

I don’t know if you can modify an IOC of a vulnerability

endlessknot · June 29, 2020, 7:07pm

Hi Brandon,

After troubleshooting with Rapid7 Support, the engineer explained that the new patch (KB) is not changing the OS Build Key (This is a Microsoft issue).

So he recommended to create an exception for this patch which I did.

IVM also has an internal process to avoid flagging such patches.

Thank you Brandon !!

gerry_dalton · July 1, 2020, 2:17pm

We have seen similar issues when we give the IT folks a remediation report to work from. It seems to be happening more frequently in the last year or so. It’s confusing to them, and to us, since they have to go research the Regkeys on multiple machines in many cases. You end up with all these exceptions that your eventually have to clean out/justify.

Lee · November 14, 2024, 5:16pm

Raising this up again…

We are seeing vulnerabilities in InsightVM where remediation guidance does not include or show if a superseded MSFT patch is available.
This is causing IT team members handling the patching to push-back on the outdated information and the potential for duplicative work with the original patch and superseded patch.
It would be nice if Rapid7 would update the recommended remediation steps when/if a superseded patch is published.