Detecting the WannaCry Exploit with InSpec

As you may have read about in the news, an exploit called “WannaCry” has been circulating and infecting Windows systems across the globe. The “WannaCry” exploit is a particularly nasty type of exploit called “ransomware”; once installed, the malware encrypts your files and holds them hostage until you pay hundreds of dollars in ransom fees.

This is a very serious exploit that has impacted operations at a number of well-known businesses. Microsoft has released a number of hotfixes that patch the vulnerability. Anyone that uses Windows is strongly encouraged to run Windows Update on their systems as soon as possible.

Detecting the Exploit with InSpec

While running Windows Update regularly is good practice and should mitigate the vulnerability on your systems, it’s important to know if any of your fleet is vulnerable to this exploit, and it’s critically important to assure that Windows Update properly installed the required hotfixes. InSpec, our solution to expressing compliance-as-code using a human-readable and executable language, can be used to scan a fleet remotely and report on its compliance.

We have released a wannacry-exploit InSpec profile on the Supermarket, and the source is on GitHub. This profile can be used with InSpec to scan a host and determine if the hotfixes necessary to mitigate WannaCry have been installed:

inspec exec supermarket://adamleff/wannacry-exploit --target winrm://Administrator@HOSTNAME --password AdministratorsPassword

InSpec does not require the installation of any software on the target host in order to properly scan it for compliance; as long as you have credentials to log in to the remote host, InSpec can scan for its compliance status.

Chef Automate users can use the audit cookbook and add this profile to the list of profiles executed as part of their normal Chef Client runs. Each node will report back its compliance findings, including the newly-added WannaCry exploit profile, to Chef Automate which can be used to see compliance status in a fleet-wide view.

Detect More Vulnerabilities

Scanning for known exploits is just one of the tasks InSpec can help with. InSpec offers a number of built-in resources for checking the state of your fleet, its configuration, and more. Read more about InSpec at www.inspec.io.

Author Adam Leff

Adam Leff is the Technical Community Advocate for InSpec at Chef. Prior to joining Chef, Adam held engineering and management positions at WebMD. He lives in Northern VA with his family and can frequently be found at local DevOps meetups in the DC area.