We’re still facing some problems/doubts regarding the remediation of some vulnerabilities related to the Shadow Brokers’ exploits, more specifically the ETERNALBLUE exploit.
Our Windows team applied patches to 400+ servers, including the KB4012598, released from Microsoft for systems running Windows XP, Windows Server 2003 and Windows 8.
But even after these patches have been applied and the servers have been rebooted, we’ve found some examples of the following case:
The server SW06TB389 (running Windows Server 2003 Service Pack 2) received the patch on Saturday (May, 13rd).
After patch installation, the system was rebooted
The patch, from what I know, doesn’t remove the Registry Keys related to SMB (whatever the version is).
Well, in fact the registry key persisted after the patch was installed and smb v1 kept running.
Buuuut, in the scan we ran on Monday (May, 15th), as you can see, the QID 91360 (of the ETERNALBLUE exploit) was detected
Pointing that the HKLM\SYSTEM\CurrentControlSet\Services\mrxsmb exist.
But, if the patch was applied, shouldn’t this vulnerability (at least this one) be fixed?
I mean, according to Robert Dell’Immagine, from Qualys:
This is a screenshot taken from his response to my own question in the Community.
Qualys seems to be searching for the service only in this Key:
But Microsoft, in their Workaround section on this vulnerability, only describes changes to be made in this key:
Our Windows team has followed Microsft's intructions, but Qualys keeps pointing to the first one and detects the servers as vulnerable. What's the difference between both of them? Should the first one be changed (or deleted) even if the patch was applied?
I can’t help our Windows team if I can’t be 100% sure that the information provided by Qualys is compliant with Microsoft’s info.
Can anybody help me to solve this doubt?
Thank you so much!