Microsoft revealed that the vulnerability dubbed «ZeroLogon» is actively being exploited. The vulnerability was first disclosed along with the release of Patch Tuesday August. Since subsequent patches also contain the fixes, updating to the September Patch Tuesday also fixes the problem. However, due to the delay in patching that many companies still maintain, attackers are still able to exploit the vulnerability. Grab the audit below to check if you still have servers that need patching.
You can find all the details about the vulnerability and the potential impact on your IT environment in our Zerologon blog post.
Zerologon Vulnerability Audit Query
Select Distinct Top 1000000 Coalesce(tsysOS.Image,
tsysAssetTypes.AssetTypeIcon10) As icon,
tblAssets.AssetID,
tblAssets.AssetName,
tblAssets.Domain,
tblState.Statename As State,
Case tblAssets.AssetID
When SubQuery1.AssetID Then 'Up to date'
Else 'Out of date'
End As [Patch status],
tblAssets.Username,
tblAssets.Userdomain,
tblAssets.IPAddress,
tsysIPLocations.IPLocation,
tblAssetCustom.Manufacturer,
tblAssetCustom.Model,
tsysOS.OSname As OS,
tblAssets.SP,
Case
When tsysOS.OScode Like '10.0.10240%' Then '1507'
When tsysOS.OScode Like '10.0.10586%' Then '1511'
When tsysOS.OScode Like '10.0.14393%' Then '1607'
When tsysOS.OScode Like '10.0.15063%' Then '1703'
When tsysOS.OScode Like '10.0.16299%' Then '1709'
When tsysOS.OScode Like '10.0.17134%' Then '1803'
When tsysOS.OScode Like '10.0.17763%' Then '1809'
When tsysOS.OScode Like '10.0.18362%' Then '1903'
When tsysOS.OScode Like '10.0.18363%' Then '1909'
When tsysOS.OScode Like '10.0.19041%' Then '2004'
End As Version,
tblAssets.Lastseen,
tblAssets.Lasttried,
Case
When tblErrors.ErrorText Is Not Null Or
tblErrors.ErrorText != '' Then
'Scanning Error: ' + tsysasseterrortypes.ErrorMsg
Else ''
End As ScanningErrors,
Case
When tblAssets.AssetID = SubQuery1.AssetID Then ''
Else Case
When tsysOS.OSname = 'Win 2008 R2' Then 'KB4571729 or KB4571719 or KB4577051 or KB4577053'
When tsysOS.OSname = 'Win 2012' Then 'KB4571736 or KB4571702 or KB4577038 or KB4577048'
When tsysOS.OSname = 'Win 2012 R2' Then 'KB4571703 or KB4571723 or KB4577071 or KB4577066'
When tsysOS.OSname = 'Win 2016' Then 'KB4571694 or KB4577015'
When tsysOS.OSname = 'Win 2019' Then 'KB4565349 or KB4570333'
When tsysOS.OScode Like '10.0.18362' Then 'KB4565351 or KB4574727'
When tsysOS.OScode Like '10.0.18363' Then 'KB4565351 or KB4574727'
When tsysOS.OScode Like '10.0.19041' Then 'KB4566782 or KB4571756'
End
End As [Install one of these updates],
Convert(nvarchar,DateDiff(day, QuickFixLastScanned.QuickFixLastScanned,
GetDate())) + ' days ago' As WindowsUpdateInfoLastScanned,
Case
When Convert(nvarchar,DateDiff(day, QuickFixLastScanned.QuickFixLastScanned,
GetDate())) > 3 Then
'Windows update information may not be up to date. We recommend rescanning this machine.'
Else ''
End As Comment,
Case tblAssets.AssetID
When SubQuery1.AssetID Then '#d4f4be'
Else '#ffadad'
End As backgroundcolor
From tblAssets
Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
Inner Join tsysAssetTypes On tsysAssetTypes.AssetType = tblAssets.Assettype
Inner Join tblOperatingsystem On tblOperatingsystem.AssetID =
tblAssets.AssetID
Inner Join tblState On tblState.State = tblAssetCustom.State
Inner Join tblComputersystem On tblAssets.AssetID = tblComputersystem.AssetID
Left Join tsysOS On tsysOS.OScode = tblAssets.OScode
Left Join (Select Top 1000000 tblQuickFixEngineering.AssetID
From tblQuickFixEngineering
Inner Join tblQuickFixEngineeringUni On tblQuickFixEngineeringUni.QFEID
= tblQuickFixEngineering.QFEID
Where tblQuickFixEngineeringUni.HotFixID In ('KB4571729','KB4571719','KB4577051',
'KB4577053','KB4571736','KB4571702','KB4577038','KB4577048','KB4571703',
'KB4571723','KB4577071','KB4577066','KB4571694','KB4577015','KB4565349',
'KB4570333','KB4565351','KB4574727','KB4565351','KB4574727','KB4566782','KB4571756')) As
SubQuery1 On tblAssets.AssetID = SubQuery1.AssetID
Left Join tsysIPLocations On tblAssets.IPNumeric >= tsysIPLocations.StartIP
And tblAssets.IPNumeric <= tsysIPLocations.EndIP Left Join (Select Distinct Top 1000000 TsysLastscan.AssetID As ID, TsysLastscan.Lasttime As QuickFixLastScanned From TsysWaittime Inner Join TsysLastscan On TsysWaittime.CFGCode = TsysLastscan.CFGcode Where TsysWaittime.CFGname = 'QUICKFIX') As QuickFixLastScanned On tblAssets.AssetID = QuickFixLastScanned.ID Left Join (Select Distinct Top 1000000 tblErrors.AssetID As ID, Max(tblErrors.Teller) As ErrorID From tblErrors Group By tblErrors.AssetID) As ScanningError On tblAssets.AssetID = ScanningError.ID Left Join tblErrors On ScanningError.ErrorID = tblErrors.Teller Left Join tsysasseterrortypes On tsysasseterrortypes.Errortype = tblErrors.ErrorType Inner Join (Select Distinct Top 1000000 tblComputersystem.AssetID As ID From tblComputersystem Where tblComputersystem.Domainrole > 3) As DC On
tblAssets.AssetID = DC.ID
Where tsysOS.OSname in ('Win 2008 R2','Win 2012','Win 2012 R2','Win 2016','Win 2019') OR
(tsysOS.OScode Like '10.0.18362' OR tsysOS.OScode Like '10.0.18363' OR tsysOS.OScode Like '10.0.19041')
And tblAssetCustom.State = 1 And
tsysAssetTypes.AssetTypename Like 'Windows%'
Order By tblAssets.Domain,
tblAssets.AssetName
