forums.wsusoffline.net

Hello,

I am concerned about the security of WSUS offline update. I am not sure what it does to check file integrity of the 1) downloaded updates and 2) self update ?

Kind Regards

Downloaded updates and the update catalog (wsusscn2.cab) are verified by their embedded digital signature using sigcheck.exe (by Sysinternals). Also hashdeep.exe is used to calculate hashes (md5, sha1 and sha256) of all updates; these hashes can be verified before installing any updates.

As for WSUS Offline's self-update, well, I don't think there's any verification or integrity check. However, you don't need to use the self-update function and update it manually, if you prefer.

Regards
Dalai

Hi.

Dalai wrote:As for WSUS Offline's self-update, well, I don't think there's any verification or integrity check.

There is!
The release archive's hashes are verified against the published values (see UpdateOU.cmd):

Code: Select all

  echo Verifying integrity of %%~nxi...
  .\client\bin\%HASHDEEP_EXE% -a -l -vv -k %%~ni_hashes.txt %%~nxi
  if errorlevel 1 (
    popd
    goto IntegrityError
  )


Cheers,
Torsten

Ah, nice! Didn't know that. (Again what learned .)

Regards
Dalai

Thanks for the info, Dalai. No problem with the actual updates.

WSUSUpdateAdmin wrote:The release archive's hashes are verified against the published values

Is the release hash file downloaded using insecure http? Or is it checked for tampering?



Kind Regards

All files downloaded from wsusoffline.net are done via HTTP, not HTTPS. But that's not a problem as long as the way from your system to the server has not been tampered with (MitM).

Regards
Dalai

Ok, thanks for the info. Then the hash check provides little security. I think It is better to download the update tool from the website.