Identifying Potentially Vulnerable Systems - Chrome Zero Day

Last week Google released an update to its Chrome Browser that addresses 14 vulnerabilities, including a zero-day security flaw that would leave unpatched Windows 10 systems vulnerable to attack.

https://www.digitaltrends.com/computing/google-chrome-browser-patch-zero-day-exploit/

https://duo.com/decipher/microsoft-fixes-six-zero-days-used-in-attacks

Ideally, the fastest way to address the issue would be to upgrade all systems within your environment to Chrome version 91.0.4472.101, as well as update all of your Windows systems with the newest OS patch.

In larger, sprawling environments, however, this can be a complex and time-consuming task. Furthermore, when a severe vulnerability exists that has a co-dependency between a software version (Chrome) and a specific OS (Windows 10), it is imperative to identify and prioritize the updating and patching efforts to address the most vulnerable systems immediately.

The identification process and cross coordination between departments and various teams within an organization can become a herculean effort that takes days to address.

With Axonius, it can be done in minutes.

In this post we will show how to use Axonius to find our most vulnerable systems (Windows 10, outdated Chrome, CVEs exist, OS Patch not applied) and share this information to move quickly and remediate the most vulnerable systems first.

Since we know one of the variables for the zero-day dependency is Windows 10, our first step is to set up a query to narrow our search to these systems. 

We will use an aggregated 'Last Seen - Last Days' entry to ensure we are seeing recent assets. We will also use the aggregated fields, 'Preferred OS Type - Equals - Windows', and 'Preferred OS Distribution - Equals - 10'

Next, we want to add all of the systems that have Chrome installed, but DO NOT have the updated Chrome version. For this, we will add two Complex Field searches.

The top query will look for systems with Chrome that do not 'equal' software version 91.0.4472.101. PLEASE NOTE 'NOT' is selected.

In the bottom query, we are asking to return systems with a version of Chrome 'earlier than' version 91. We are using this approach to eliminate the possible overlap of systems that have both the newly updated version AND a legacy version of Chrome. In searching this way we will only pull Windows 10 systems with a vulnerable version of Chrome.

At this point we have pulled together our list of Windows 10 systems that have a vulnerable Chrome version installed.

For this exercise, we will also pivot and add additional search criteria for Windows systems that might not have the latest OS Patch. In this example we will use another Complex Field query and the SCCM adapter and check, 'Patches Compliance Status' and enter the Article IDs for the related patches. Again, we are using the 'NOT' value to find systems where the patch has not been detected.

Lastly, we will also incorporate the associated CVE IDs with this vulnerability into the search. In the example below we are looking for any of the three main CVEs tied to the Chrome zero day: 

CVE-2021-30551, CVE-2021-31955, CVE-2021-31956

(The CVE IDs are not essential to include for this identification process - just another example of how you can search for relevant data for the vulnerability in Axonius)

Once you save your query, you can create a Field Summary dashboard to display the total count of these systems that are in urgent need of remediation.

****IMPORTANT NOTE: Each environment leverages different adapters that provide various data fields related to Patches/Updates -- please reach out to your Technical Account Manager or Customer Support if you have questions or to help you identify ways to search for this.

Thanks for reading!