How to patch WannaCry using SaltStack ! (AD alternative)



  • so this thread:

    https://mangolassi.it/topic/13635/saltstack-use-cases

    Got me all excited about saltstack, I hope it remains Opensource and free and available forever.

    And I really wanted Active Directory replacement, I dont have AD at my work, we do have centralized I.T services like XMPP server/Nextcloud/some machines have secure VNC installed but not all, but nothing to manage the Windows clients. Thus it depends on the users most of the time.

    So WannaCry came up and the max I can do is download the patch and host it on our NAS, and email everyone with the link and steps on how to do it, and tell them I am available for support just reply to the email and I will try to VNC to the machine or go manually and apply it (we are talking about managing 100+ machines).

    But that did test our infrastructure readiness for similar scenarios and it was poor and slow, cause it depends on the users, who you just cant trust on doing the right thing, sometimes they get so busy, some think just that download the .msu file patch to their desktop means that they did it and applied the patch without even running it.

    So that got me trialing SaltStack:

    I did the basic stuff, Got Centos 7 minmial machine (2 cpu/2 gb ram) and installed SaltStack using this info :
    https://repo.saltstack.com/#rhel

    Then create 2 folders:
    mkdir /srv/salt/
    mkdir /srv/pillar/

    Then edit this file:
    /etc/salt/master

    And uncomment the following lines, keeping the default config for them.
    interface #(change this to your machine IP)
    publish_port
    user
    ret_port
    root_dir: /
    file_roots:
    base:
    - /srv/salt
    pillar_roots:
    base:
    - /srv/pillar

    Then ensure firewalld is allowing the ports (puplish+ret) configured above to be opened or accessible in your LAN.

    Currently I do not use SS for provisioning servers, or salt state files, but I reckon I will get to that once I am more knowledgeable with the tool


    So the above covered the Centos Salt Master part, now for the minions, simply download the file:
    https://repo.saltstack.com/#windows

    And install it, during install you will be asked to provide the IP for the salt master + the ID name of the client minion machine. (It is important to come up with an minion naming plan prior)


    And this covers the minion part, what I found is very interesting is that SS works even if the windows machine had kaspersky workstation security installed with everything set on high as well as UAC, usually kaspersky messes everything up.


    Now go back to the Centos Salt master:

    and type :

    salt-key -L
    You should see the new client minion name but it not authorized, thus type:
    salt-key -A
    to authorize the windows minion to connect (you can enable in the salt master config to accept all requests by default)


    Now the actual patch part, lets say our windows minion ID is 123 in this example:

    1. Download wannacry patch and put in Centos Salt Master dir of /srv/salt.
      and cd to that dir in the Master.

    2. run the following on the Master:

    salt '123' service.start 'wuauserv' && salt "" cp.get_file salt://wannacry_patch_x64.msu C:/wannacry_patch_x64.msu && salt '' cmd.run 'wusa.exe C:/wannacry_patch_x64.msu /quiet /norestart'

    If you want the patch to work on selected machines, simply use salt -L '123,124' instead, and all machines use salt '*' instead.

    The above command will apply the patch, without rebooting the machine.

    1. Checking up on the patch after some time:

    salt '123' cmd.run 'wmic qfe | find “4012212”'

    This is based on:

    https://technet.microsoft.com/library/security/MS17-010

    Windows 7 for x64-based Systems Service Pack 1
    (4012212)
    Security Only[1]

    This will return to you that the user have it installed, the minion might need to reboot first then it will be listed, not sure.

    1. Cleanup and delete the file from Windows clients after all patched:

    salt '123' cmd.run 'del C:\wannacry_patch_x64.msu'


    I know the above is rough and un-tidy, but I like to help in increasing the popularity of this awesome solution that I am trialing and it is stable and speedy and works, truly a GPO solution that works.


  • Service Provider

    That's awesome! A great example of how useful Salt can be.


  • Service Provider

    I'll add a note for clarity given the title... SaltStack does not do authentication like AD does. AD does not do patching of any sort like Salt does. Salt is an alternative to common myths about AD functionality, but not to actual AD functionality. But you can use Salt to do distributed local authentication management, which does replace the need for AD, but is very different than what is being discussed here. In this case Salt is replacing GPO, not AD.



Looks like your connection to MangoLassi was lost, please wait while we try to reconnect.