False positive when CVE is corrected by multiple KBs

[the-useless-one]

Hi!

I noticed a false positive when a CVE is corrected by different KBs. Enclosed is a systeminfo.txt and qfefile.txt illustrating the problem.

You can see that wesng says that the server is vulnerable to CVE-2017-0143 (EternalBlue), because KB4012219 is missing:

Date: 20170321
CVE: CVE-2017-0143
KB: KB4012219
Title: Windows SMB Remote Code Execution Vulnerability
Affected product: Windows Server 2012 R2
Affected component: 
Severity: Critical
Impact: Remote Code Execution
Exploits: https://www.exploit-db.com/exploits/41891/, https://www.exploit-db.com/exploits/41987/, https://www.exploit-db.com/exploits/43970/

However, KB4012213, which also corrects CVE-2017-0143 in the March 2017 Security Only Update, is installed.

Therefore, the server is not vulnerable to EternalBlue, and the fact that KB4012219 is not installed should be ignored.

[bitsadmin]

Hi! Thanks for your message.

WES-NG collects information from the Microsoft Security Response Center (MSRC) feed. The reason that false positive missing KBs show up is because of Microsoft's incomplete KB supersedence information. For more info check the "Eliminating false positives" link on step 4 of the Usage heading: https://github.com/bitsadmin/wesng#usage.

I am currently in the process of finalizing a blog on how Windows versions/updates work, and how WES-NG can help to identify missing KBs, including ways to eliminate false positives. Keep an eye on my blog (https://bitsadm.in/) or Twitter (https://twitter.com/bitsadmin) where I will publish/announce it!