Microsoft KB superseding solution mess

anon26205435 · October 22, 2021, 8:23am

Hello!

I’m trying to create a script that generates an excel version of the top25 report, and the superseding of Microsofts KB patches confuse me greatly.

For example, let’s have a look at CVE-2017-0146. (I’m using the python rapid7vmconsole api)

>>> vuln_api.get_vulnerability_solutions('msft-cve-2017-0146').resources
['msft-kb4012212-13c36c25-fee4-429f-933e-f93ebfbb91f5', 'msft-kb4012212-36e1591a-f6d3-44d2-aa25-540234b7eb36', 'msft-kb4012212-4ee6f09d-38d9-47ef-8ba9-dd802352b8ee', 'msft-kb4012212-652eea96-c2e8-4548-8f9a-40964e5e6a74', 'msft-kb4012212-c682d11d-fc2e-4852-9da7-c2198958bf6c', 'msft-kb4012212-fb31138f-b6a5-499c-9eb6-5b5f9fff6bfd', 'msft-kb4012213-317ca43c-7dfe-4e04-8a21-2c6c4ab4fbb9', 'msft-kb4012213-5d351df3-6efb-4b17-93e0-b0e3a5babbc3', 'msft-kb4012213-80bc2b42-a953-4096-8595-130e9a9c9fb9', 'msft-kb4012214-1949e6d5-95b0-4e90-acfb-73c9d295fbbf', 'msft-kb4012214-57dbd57f-89b2-4abb-8582-14fc17870bb8', 'msft-kb4012214-b4d71d8b-1f2d-4958-ad08-e379293d71e8', 'msft-kb4012598-22699699-94c3-4677-99e5-38cb4fb66401', 'msft-kb4012598-324162d3-2d68-4a64-93fc-948caad3b45c', 'msft-kb4012598-43db2dfd-c320-436a-94bf-5f094498fe68', 'msft-kb4012598-4d0386a5-2707-4e40-9d57-92e1f523c465', 'msft-kb4012598-5680ca8f-be92-4d13-8e4e-587aa462e838', 'msft-kb4012598-69eadaea-9a25-4cb4-8c6f-5f4603311eda', 'msft-kb4012598-6e52528b-7754-49ba-b39e-2a2a2b7c8c3a', 'msft-kb4012598-86ac3cc3-e972-41a8-ac78-45bc5a950faa', 'msft-kb4012598-9e189800-f354-4dc8-8170-7bd0ad7ca09a', 'msft-kb4012598-a679cafc-d8da-4c2a-9709-17a6e6a93f4f', 'msft-kb4012598-d4d15d30-e775-4f6f-b838-d3caca05a5e9', 'msft-kb4012598-ec4f955a-2fe7-45e6-bde1-1de91cbe874f', 'msft-kb4012598-fdb0df5f-8994-4e43-a37b-82544a1eff68', 'msft-kb4012606-384d5679-3c34-433f-8564-66fc5136a5e9', 'msft-kb4012606-6a38fe85-98ba-4ce2-b4eb-aed947d5c203', 'msft-kb4013198-477b54b9-913d-4c4e-8da8-01e0b4cf15ce', 'msft-kb4013198-6d9f75f7-d998-4188-a935-7603f4e51a4d', 'msft-kb4013429-724ee219-b949-4d44-9e02-e464c6062ae4', 'msft-kb4013429-74b1fe65-bd6b-4b76-a624-8674748898f2', 'msft-kb4013429-e29d1b22-493d-44dd-8857-7c6c7cb6d84c']

These solutions apply to different operating systems, so let’s filter out the ones for Windows Server 2016:

>>> for sol_id in vuln_api.get_vulnerability_solutions('msft-cve-2017-0146').resources:
...     sol = vuln_api.get_solution(sol_id)
...     if 'windows server 2016' in sol.applies_to.lower():
...         print(sol.id)
...
msft-kb4013429-74b1fe65-bd6b-4b76-a624-8674748898f2

Notably, KB4013429 is no longer available on https://www.catalog.update.microsoft.com/.
Now we can get the superseding solutions, of which there are more than one:

>>> for sol in vuln_api.get_superseding_solutions('msft-kb4013429-74b1fe65-bd6b-4b76-a624-8674748898f2').resources:
...     if 'windows server 2016' in sol.applies_to.lower():
...         print(sol.id)
...
msft-kb4038782-e895239d-88ad-4ac3-b68f-8abb6b489d19-cve-2017-8529
msft-kb4103723-99a0b90d-2519-4700-be0c-e6c7b5bd04ec-cve-2018-0886
msft-kb4284880-fa8b8608-4925-4c9b-871f-a3e5d0b082fa
msft-kb4601318-c9f46838-f8fd-4cf9-9d56-a7908273fb6b
msft-kb5004238-2ed6cabd-625f-4543-b546-b2423632e94a-manual
msft-kb5006669-ff623435-c638-4c25-a907-843fa16c22b3
msft-kb5006669-ff623435-c638-4c25-a907-843fa16c22b3-manual

We went from one solution, to multiple superseding solutions.

And now we have a smorgasbord of no longer available and available KB articles:

kb4038782 is no longer available
kb4103723 is available but replaced with kb5006669
kb4284880 is available and has not been replaced
kb4601318 is no longer available
kb5004238 is available but replaced with kb5006669
kb5006669 is available

So, my goal is to go from this mess to one solution to msft-cve-2017-0146 - and right now it seems that going by highest KB number may work. Do you have any better ideas or thoughts? Please let me know

Ofcourse the “best” solution can be retrieved by simply calling the Remediation API, which makes me question the use of this get_superseding_solutions API functionality (atleast in this particular case) -

conor_lee · October 22, 2021, 8:48am

Hi jhaltorp,

I’m not sure of your particular use case, and if you provide some additional context around what you are trying to achieve I maybe able to give more tailored information. But from what you’ve mentioned above I know Microsoft supersedence chaining can be quite complex especially when vulnerabilities affect multiple platforms and architectures.

As Microsoft release patches in multiple ways such as security patches, roll-ups and other bundles which may contain fixes to issues which previously required a specific patch. This means that a newer bundle may be more appropriate. The idea is to try to track the security patching rather than than just upgrade to latest. The reason for this is that some environments will have strict regulations or requirements to check new releases of software to tailor internal policy compliance etc as new features are made available etc. By focusing on security patching it will recommend the solution to address the security issue without necessarily introducing additional risk of new features included in other release branches.

This balance between security exposure to newly released features in some of the bundle releases and the security update only branches is quite complex as over time the “new features” become standard and so old security only for that old version becomes unsupported and you have to upgrade to a version with the previously “new features” and so on.

This leads to new kbs and replaced older kbs depending on which branch and previous solutions have been applied to the operating system.

I hope this helps!