BlogContact SalesTry Puppet 
Search Puppet.com

Puppet is the industry standard for IT automation.

Modernize, manage and bring your hybrid infrastructure into compliance through Puppet's powerful continuous automation.

Use Cases
Puppet Enterprise LogoGet Puppet Enterprise

First 10 nodes are free!

Products
Pricing & Packaging
Integrations
Puppet Education Logo
Puppet Education

Puppet Education is your learning portal for tools and best practices to address common business challenges.

Professional services
Support
Custom consulting services

Get up and running quickly with a custom solution that addresses your unique business goals and easily allows for growth as your needs evolve.

Puppet Forge

Find thousands of component modules built by the community and guidance on using them in your own infrastructure.

EcosystemOpen Source Projects
Community
Contribute
State of DevOps Report

Since launching our first DevOps survey in 2012, we’ve learned a lot about the power of DevOps to transform organizations.

Product Documentation
Resource library
Customers
Partners
Featured Partners
Servicenow Logo
Splunk Logo
Puppet Events
About Us

Puppet takes the risk out of change. We meet you where you are today and take you where you need to go.

CompanyWorking at Puppet
Press & news
Events
It's our community that makes Puppet great. Connect with Puppet users and employees.
homeblogdetecting and remediating wannacry

Detecting and remediating WannaCry

by Carl Caum|15 May 2017

You’re probably aware of WannaCry, the ransomware infecting vulnerable Windows systems around the globe. (If you’re not, this article is a good starting place.)

As IT organizations scramble to learn what they can about WannaCry, many are finding it difficult to know if and where they’re vulnerable, let alone how to remediate vulnerable systems. This post should help you deal quickly with WannaCry.

Detecting WannaCry

Detecting whether or not you’re vulnerable to WannaCry is fairly straightforward. You simply need to know which patch level you’re at now. However, getting the patch level for every Windows system isn’t all that simple.

Luckily, you have Puppet. Puppet includes Facter, a tool for collecting metadata on hosts. We have written a Puppet module called puppetlabs/detect_wannacry that includes an external fact which detects whether a host is vulnerable to WannaCry. Puppet will distribute that external fact to every node on your infrastructure. From there, we can use Puppet Query Language to query which systems are vulnerable.

Add the following line of code to your Puppetfile in order to include the puppetlabs/detect_wannacry module in your Puppet code base.

mod 'puppetlabs-detect_wannacry'

The detect_wannacry module includes a fact called wannacry_vulnerable that will have a value of either true or false.

Use the following Puppet Enterprise Orchestrator command to push the fact to every Windows node and collect the fact values:

puppet job run --query 'inventory[certname] { facts.os.name = "windows" and nodes { deactivated is null } }' --concurrency 40

(You can learn more about Orchestrator here.)

Now collect a list of the vulnerable systems with the following PQL query:

puppet query 'inventory[certname] { facts.wannacry_vulnerable = "true" }'

Remediating with Puppet

The quickest way to remediate is simply to disable SMBv1. SMBv1 is an old SMB protocol, and it's likely it can safely be disabled. Please first verify that this is the case for your infrastructure. It’s also important to note that fully disabling the SMBv1 protocol on Windows requires a reboot.

Add the following profile to manifests/wannacry.pp in your profile module:



Commit the code and deploy it to the Puppet Enterprise master with the puppet code command. (For more information about the 'puppet code' command, go here.)


Finally, create a node group in the Puppet Enterprise web UI called “WannaCry” and make a rule that matches any nodes with the wannacry_vulnerable fact value of true, and assign the class profile::wannacry to it.


A note on patching


The best way to remediate WannaCry is to properly patch your vulnerable systems. However, not everyone has mature patch management practices in place, and sometimes verifying and orchestrating the patch can take valuable time. As soon as you can, the following patches should be applied to fully remediate WannaCry:


Windows Server 2008


    

  • KB4012212
    • 



Windows Server 2012


    

  • KB4012217
    • 

  • KB4015551
    • 

  • KB4019216
    • 



Windows Server 2012 R2


    

  • KB4012216
    • 

  • KB4015550
    • 

  • KB4019215
    • 



Windows Server 2016


    

  • KB4013429
    • 

  • KB4019472
    • 

  • KB4015217
    • 

  • KB4015438
    • 

  • KB4016635
    • 



Last words on WannaCry


WannaCry is an example of why being prepared for a major vulnerability at any moment is critical to your ongoing IT operations. WannaCry isn’t the first global threat to come down the pike, and it certainly will not be the last. Having a reliable, easy-to-use configuration management system in place gives you a massive advantage when threats like WannaCry occur.


Carl Caum is a senior technical marketing manager at Puppet.


Learn more