WSUS Offline Update security?

WSUS Offline Update security?

Postby ntech » 29.03.2018, 10:54

Hello,

I am concerned about the security of WSUS offline update. I am not sure what it does to check file integrity of the 1) downloaded updates and 2) self update ?

Kind Regards
ntech
 
Posts: 3
Joined: 29.03.2018, 10:39

Re: WSUS Offline Update security?

Postby Dalai » 29.03.2018, 16:14

Downloaded updates and the update catalog (wsusscn2.cab) are verified by their embedded digital signature using sigcheck.exe (by Sysinternals). Also hashdeep.exe is used to calculate hashes (md5, sha1 and sha256) of all updates; these hashes can be verified before installing any updates.

As for WSUS Offline's self-update, well, I don't think there's any verification or integrity check. However, you don't need to use the self-update function and update it manually, if you prefer.

Regards
Dalai
Dalai
 
Posts: 558
Joined: 12.07.2016, 22:00

Re: WSUS Offline Update security?

Postby WSUSUpdateAdmin » 30.03.2018, 10:15

Hi.

Dalai wrote:As for WSUS Offline's self-update, well, I don't think there's any verification or integrity check.

There is!
The release archive's hashes are verified against the published values (see UpdateOU.cmd):
Code: Select all
  echo Verifying integrity of %%~nxi...
  .\client\bin\%HASHDEEP_EXE% -a -l -vv -k %%~ni_hashes.txt %%~nxi
  if errorlevel 1 (
    popd
    goto IntegrityError
  )

:)
Cheers,
Torsten
WSUSUpdateAdmin
Administrator
 
Posts: 2104
Joined: 07.07.2009, 15:38

Re: WSUS Offline Update security?

Postby Dalai » 30.03.2018, 17:21

Ah, nice! Didn't know that. (Again what learned :mrgreen:.)

Regards
Dalai
Dalai
 
Posts: 558
Joined: 12.07.2016, 22:00

Re: WSUS Offline Update security?

Postby ntech » 31.03.2018, 18:48

Thanks for the info, Dalai. No problem with the actual updates.

WSUSUpdateAdmin wrote:The release archive's hashes are verified against the published values


Is the release hash file downloaded using insecure http? Or is it checked for tampering?



Kind Regards
ntech
 
Posts: 3
Joined: 29.03.2018, 10:39

Re: WSUS Offline Update security?

Postby Dalai » 31.03.2018, 20:47

All files downloaded from wsusoffline.net are done via HTTP, not HTTPS. But that's not a problem as long as the way from your system to the server has not been tampered with (MitM).

Regards
Dalai
Dalai
 
Posts: 558
Joined: 12.07.2016, 22:00

Re: WSUS Offline Update security?

Postby ntech » 01.04.2018, 13:00

Ok, thanks for the info. Then the hash check provides little security. I think It is better to download the update tool from the website.
ntech
 
Posts: 3
Joined: 29.03.2018, 10:39


Return to Installation / Updating

Who is online

Users browsing this forum: Google [Bot] and 17 guests