Detecting and remediating WannaCry

You’re probably aware of WannaCry, the ransomware infecting vulnerable Windows systems around the globe. (If you’re not, this article is a good starting place.)

As IT organizations scramble to learn what they can about WannaCry, many are finding it difficult to know if and where they’re vulnerable, let alone how to remediate vulnerable systems. This post should help you deal quickly with WannaCry.

Detecting WannaCry

Detecting whether or not you’re vulnerable to WannaCry is fairly straightforward. You simply need to know which patch level you’re at now. However, getting the patch level for every Windows system isn’t all that simple.

Luckily, you have Puppet. Puppet includes Facter, a tool for collecting metadata on hosts. We have written a Puppet module called puppetlabs/detect_wannacry that includes an external fact which detects whether a host is vulnerable to WannaCry. Puppet will distribute that external fact to every node on your infrastructure. From there, we can use Puppet Query Language to query which systems are vulnerable.

Add the following line of code to your Puppetfile in order to include the puppetlabs/detect_wannacry module in your Puppet code base.

mod 'puppetlabs-detect_wannacry'

The detect_wannacry module includes a fact called wannacry_vulnerable that will have a value of either true or false.

Use the following Puppet Enterprise Orchestrator command to push the fact to every Windows node and collect the fact values:

puppet job run --query 'inventory[certname] { facts.os.name = "windows" and nodes { deactivated is null } }' --concurrency 40

(You can learn more about Orchestrator here.)

Now collect a list of the vulnerable systems with the following PQL query:

puppet query 'inventory[certname] { facts.wannacry_vulnerable = "true" }'

Remediating with Puppet

The quickest way to remediate is simply to disable SMBv1. SMBv1 is an old SMB protocol, and it's likely it can safely be disabled. Please first verify that this is the case for your infrastructure. It’s also important to note that fully disabling the SMBv1 protocol on Windows requires a reboot.

Add the following profile to manifests/wannacry.pp in your profile module:

class profile::wannacry {
  #Tested on Windows 2012 R2

  exec { 'Disable SMBv1 Protocol':
    command   => "Set-SmbServerConfiguration -EnableSMB1Protocol $false -force",
    provider  => powershell,
    unless    => "if (Get-SmbServerConfiguration | Select EnableSMB1Protocol) { exit 0 } else { exit 1 }",
  }

  exec { 'Remove SMBv1 Feature':
    command   => "Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol",
    provider  => powershell,
    unless    => "if (Get-WindowsOptionalFeature -Online -FeatureName smb1protocol) { exit 0 } else { exit 1 }",
  }
}

Commit the code and deploy it to the Puppet Enterprise master with the puppet code command. (For more information about the 'puppet code' command, go here.)

Finally, create a node group in the Puppet Enterprise web UI called “WannaCry” and make a rule that matches any nodes with the wannacry_vulnerable fact value of true, and assign the class profile::wannacry to it.

A note on patching

The best way to remediate WannaCry is to properly patch your vulnerable systems. However, not everyone has mature patch management practices in place, and sometimes verifying and orchestrating the patch can take valuable time. As soon as you can, the following patches should be applied to fully remediate WannaCry:

Windows Server 2008

• KB4012212

Windows Server 2012

• KB4012217
• KB4015551
• KB4019216

Windows Server 2012 R2

• KB4012216
• KB4015550
• KB4019215

Windows Server 2016

• KB4013429
• KB4019472
• KB4015217
• KB4015438
• KB4016635

Last words on WannaCry

WannaCry is an example of why being prepared for a major vulnerability at any moment is critical to your ongoing IT operations. WannaCry isn’t the first global threat to come down the pike, and it certainly will not be the last. Having a reliable, easy-to-use configuration management system in place gives you a massive advantage when threats like WannaCry occur.

Carl Caum is a senior technical marketing manager at Puppet.

Learn more

• Haven't tried Puppet Enterprise yet? You can download it for free. Or try our Learning VM — it's a great way to get a hands-on experience with Puppet Enterprise and see how it works, in a controlled teaching environment.
• Learn how Puppet Enterprise helped organizations whose IT was vulnerable to Heartbleed.
• Download our white paper, Manage Change and Enforce Security in your Windows Ecosystem.