Skip to main content

Mitigating CVE-2020-0674 With Powershell and SCCM

·764 words·4 mins
system-administration tech cybersecurity powershell sccm sysadmin technology
James Pettigrove
Author
James Pettigrove
Cloud Engineer with a focus on Microsoft Azure
Table of Contents

Happy New Year fellow SysAdmins and what a welcome it has been for us all. Zero day, after exploit, after vulnerability.

I’m sure you are no doubt patching your Microsoft systems, your Oracle, Citrix, Mozilla…oh boy. This seems to go on and on right? It is the year 2020 and this is the new norm. Red teams are poking holes in things and helping protecting enterprises at a exponential rate.

One of the most recent is the memory leak in the Javascript rendering engine for Internet Explorer, jscript.dll.

All the juicy details can be found at Microsoft’s advisory, ADV200001 at https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200001.

Powershell script
#

With that said, let’s get straight to the good stuff, that is, applying the mitigations with our friends Powershell and SCCM.

Firstly, open up your code editor of choice and plonk the following into a .ps1 file:

This script will take ownership of both the x86 and x64 bit versions of the jscript.dll as well as add the DENY access control for the group everyone.

If you will not be applying this code via methods that run as SYSTEM, then I would recommend adding the /a switch for the takeown commands. This will mean SYSTEM will take ownership instead of your own user account

Next, roll it up as a program into SCCM and deploy to the masses.

But once the official Microsoft security patch arrives next month, how do we undo our mitigations to restore order?

I hear ya, I see ya and I’ve got your PowerShell code right here:

Make this your uninstall program to compliment the script above and you have one complete package.

Only thing left for you is to deploy it.

SCCM Compliance method
#

While deploying the Powershell based mitigations as a program is one method, another way would be via the Compliance offerings in SCCM.

Firstly, we’ll need what the jscript file ACLs will look like after we apply our mitigations. So go ahead and perform the above Powershell script on a test workstation and do the following:

$CurrentX86Acl = Get-Acl -Path $ENV:windir\system32\jscript.dll
$CurrentX64Acl = Get-Acl -Path $ENV:windir\syswow64\jscript.dll
$CurrentX86Acl.Sddl
$CurrentX64Acl.Sddl

This will output two large hashes of the ACLs currently applied to the (now mitigated) jscript.dll file. Keep these hashes handy as we will utilize them later as part of our test.

Next, jump on over into SCCM console, hit the Asset and Compliance tab and expand Overview > Compliance Settings > Configuration Items. Once there, select Create Configuration Item.

Go through the basics of CI name, supported platforms etc…until you get to the Settings step. Here, we are going to click the New button and create a new setting of the type Script, with a data type of String. Now click through to Add Script under the Discovery script heading and this is where we will weave our Powershell magic.

In the window for our Script contents, enter in the following:

$DesiredX86Acl = "YourX86SddlHashHere"
$DesiredX64Acl = "YourX64SddlHashHere"

$CurrentX86Acl = Get-Acl -Path $ENV:windir\system32\jscript.dll
$CurrentX86Acl = $CurrentX86Acl.Sddl

$CurrentX64Acl = Get-Acl -Path $ENV:windir\syswow64\jscript.dll
$CurrentX64Acl = $CurrentX64Acl.Sddl

If (($CurrentX86Acl -eq $DesiredX86Acl) -and ($CurrentX64Acl -eq $DesiredX64Acl)) { $Compliance = "Compliant"}
Else { $Compliance = "NonCompliant" }
Return $Compliance

Remember the ACL hashes I wanted you to keep handy? Grab the values now and replace YourSddlHashHere with their contents. With the correct ACL hashes, we now have a Powershell script that compares the desired state of the jscript file, with it’s current state and returns a value of either NonCompliant or Compliant. Simple right?

Now close of the script entry window by hitting OK.

We have a script that tests for compliancy, but what the real value will come from is in the remediation. Under the Remediation script heading, click Add Script. In the script contents window, enter in contents of the first script in this post, ensure the script language is set to Windows Powershell and click OK to save and close.

Return to the Create Configuration Item Wizard and hit Next to progress to the Compliance rules section, Click on the New button to create rule and under Selected setting, chose our previously created setting. Our rule type is going to be of the Value. Finally, we are set our rule to Equals and enter a value of Compliant.

Now we have a Configuration Item that checks if the mitigation has been applied and if not, apply said mitigations. All that is left to do is create a Configuration Baseline with the newly created Configuration Item as the evaluation conditions and deploy to your workstations.

Powershell and SCCM…powerful stuff. Go forth and mitigate those security risks!

Related

Installing Fonts with PowerShell
·281 words·2 mins
system-administration tech application-packaging fonts powershell sccm sysadmin technology windows windows-10 windows-7
Not normally the application packaging type but some time ago it fell to me to package up some open source fonts and deploy them via System Centre Configuration Manager across the enterprise.
Legacy BIOS and UEFI PXE coexistence
·701 words·4 mins
system-administration tech bios dhcp powershell pxe sccm sysadmin technology uefi windows-server-2012-r2
More and more enterprises are moving towards the modern UEFI devices in their fleet, whether that be desktops, laptops or convertibles.
Installing MiniKube with Powershell
·584 words·3 mins
system-administration tech containers hyper-v k8s kubernetes powershell sysadmin technology windows
I noted on Twitter the other day that I had mixed feelings on getting a breakthrough on a problem that I had faced a couple of months ago by revisiting said problem with a fresh pair of eyes and a different point of view.