CVE-2017-8529 - Additional action required for June 2017 rollup (reg entry)

JasonWalker · October 25, 2017, 4:43pm

I can’t find any content related to this in BigFix, but Nessus is flagging some of my patched systems as still being vulnerable to CVE-2017-8529 which is addressed in the June 2017 Rollup Packages; but the fix requires an additional registry entry that does not seem to be addressed in the BigFix content.

Ref https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8529

FAQ

After I install the updates for CVE-2017-8529, is there anything else I need to do to be protected from this vulnerability?
Yes. With the rerelease of CVE-2017-8529 Microsoft has addressed previously known print issues related to this vulnerability; however, to prevent the potential for any further print regressions, the solution for CVE-2017-8529 is turned off by default. To be fully protected from this vulnerability, you need to do the following after installing the update:

Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

Note If you have previously configured the FEATURE_ENABLE_PRINT_INFO_DISCLOSURE_FIX subkey, double-click the iexplore.exe DWORD and then follow Step 7 to change the value.

For 32-bit and 64-bit systems:

Click Start, click Run, type regedt32 or type regedit, and then click OK.
In Registry Editor, locate the following registry folder: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl
Right-click FeatureControl, point to New, and then click Key.
Type FEATURE_ENABLE_PRINT_INFO_DISCLOSURE_FIX, and then press Enter to name the new subkey.
Right-click FEATURE_ENABLE_PRINT_INFO_DISCLOSURE_FIX, point to New, and then click DWORD Value.
Type “iexplore.exe” for the new DWORD value.
Double-click the new DWORD value named iexplore.exe and change the Value data field to 1.
Click OK to close.
For 64-bit systems only:

Click Start, click Run, type regedt32 or type regedit, and then click OK.
In Registry Editor, locate the following registry folder: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl
Right-click FeatureControl, point to New, and then click Key.
Type FEATURE_ENABLE_PRINT_INFO_DISCLOSURE_FIX, and then press Enter to name the new subkey.
Right-click FEATURE_ENABLE_PRINT_INFO_DISCLOSURE_FIX, point to New, and then click DWORD Value.
Type “iexplore.exe” for the new DWORD value.
Double-click the new DWORD value named iexplore.exe and change the Value data field to 1.
Click OK to close.

If you need to disable the solution for CVE-2017-8529, do the following:

For 32-bit and 64-bit systems:

Click Start, click Run, type regedt32 or type regedit, and then click OK.
In Registry Editor, locate the following registry folder: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_PRINT_INFO_DISCLOSURE_FIX
Double-click the value named iexplore.exe and change the Value data field to 0.
Click OK to close.
For 64-bit systems only:

Click Start, click Run, type regedt32 or type regedit, and then click OK.
In Registry Editor, locate the following registry folder: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_PRINT_INFO_DISCLOSURE_FIX
Double-click the value named iexplore.exe and change the Value data field to 0.
Click OK to close.

JasonWalker · October 25, 2017, 4:45pm

I see now that there are “Enable” and “Disable” solutions for this in Fixlets 170852903 and 170852901, but because these do not have a Severity flagged I wasn’t picking them up in my patch baselines.

Everyone, you may want to check your systems for this…

atlauren · November 3, 2017, 11:51pm

@JasonWalker,

I have a few hundred systems that Nessus Agent reports as vulnerable for CVE-2017-8529, but BigFix does not see the fixlet as relevant. I think the sticking point is in the relevance for the June updates: it looks for one of 4036586, 4038777, 4038781, 4038782, 4038783, 4038788, 4038792, 4038799, and the missing registry key.

If I’m reading this right, BigFix’ relevance doesn’t trigger if you don’t have a June update, but do have one of the subsequent updates, and still lack the registry entry.

atlauren · November 4, 2017, 12:34am

I forked the relevance to add the KB packages specified as superseding those supplied:

number of (elements of ((set of (if (exists key "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages" of native registry) then elements whose ((it contains "4036586" OR it contains "4038777" OR it contains "4038781" OR it contains "4038782" OR it contains "4038783" OR it contains "4038788" OR it contains "4038792" OR it contains "4038799" OR it contains "4040685" OR it contains "4041676" OR it contains "4041681" OR it contains "4041689" OR it contains "4041690" OR it contains "4041691" OR it contains "4041693" OR it contains "4042895") AND it does not contain "_") of (set of ((substrings before "~" of substrings after "for_" of names of keys whose (name of it contains "for_" AND (it = 96 or it = 112 or it = 6 or it = 7) of (value "CurrentState" of it as integer)) of key "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages" of native registry) as uppercase)) else (nothing)))))

… and am getting a lot more systems! However, now it’s a superset of those Nessus is reporting. Sigh.

atlauren · November 4, 2017, 12:41am

Hmmm. All the Nessus-reported systems are Windows 7, 64-bit.

atlauren · November 6, 2017, 8:08pm

I think both tools are incomplete in their reporting/remediation of CVE-2017-8529. The key issue is that fixes were first deployed in June updates, then pulled, then re-deployed in September and paired with the registry key. But the registry key didn’t appear until September.

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8529

Nessus appears to trigger its reporting based on the absence of the registry key, but reports that you need the June update. This assessment is incomplete.

BigFix’s fixlet (170852903) checks for the registry key, but only on the September updates: 4036586, 4038777, 4038781, 4038782, 4038783, 4038788, 4038792, 4038799. This relevance is also incomplete, because it does not include the subsequent updates that supersede this list.

atlauren · November 6, 2017, 8:08pm

Hey @JasonWalker, can you please change the title to include CVE-2017-8529?

atlauren · September 20, 2018, 8:04pm

[thread resurrection]

It appears that fixlet 170852903 has been updated to reflect the interim cumulatives that impact this issue.