InsightVM flags windows devices with superceded patches

Hi all,

Our InsightVM flags windows devices with superceded patches.

See this screenshot below:

Superceded

Am curious to find out if any peers are running into InsightVM reporting Superseded Windows Patches in their Vulnerability Reports.

Would like to know how you resolved it.

Thank you.

2 Likes

You are correct in that the provided solution does suggest a patch that has been superseded, but there is a useful piece of information that I don’t see in IVM that is in Nexpose and that is the proof column of the affected Assets. This column indicates why the asset got tagged with this Vulnerability.
On an Assets that has the superseded patch, can you check these reg keys? If they match this that is why they are getting flagged.

Vulnerable OS: Microsoft Windows Server 2016 Standard Edition 1607

Based on the following 2 results:

  1. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
    • CurrentBuild - contains 14393
  2. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
    • UBR - contains 3686

Rapid7 InsightVM Team, Can this column be included in the report like it is in Nexpose?

“On an Assets that has the superseded patch, can you check these reg keys? If they match this that is why they are getting flagged.”

So how can I remediate this and not get flagged by IVM ?

I would add an Exception stating that it is a False Positive (this is allowed even under PCI) but I only know where to do this in Nexpose, I don’t see the option in IVM.

I don’t know if you can modify an IOC of a vulnerability

Hi Brandon,

After troubleshooting with Rapid7 Support, the engineer explained that the new patch (KB) is not changing the OS Build Key (This is a Microsoft issue).

So he recommended to create an exception for this patch which I did.

IVM also has an internal process to avoid flagging such patches.

Thank you Brandon !!

We have seen similar issues when we give the IT folks a remediation report to work from. It seems to be happening more frequently in the last year or so. It’s confusing to them, and to us, since they have to go research the Regkeys on multiple machines in many cases. You end up with all these exceptions that your eventually have to clean out/justify.