Release/release 3.5.1 fixes (#356)

RichardHNetwrix · web-flow · commit ba13fb895cfc · 2026-06-09T16:00:02.000+01:00
* Add fixes for issues found in the 3.5.1 release
diff --git a/PingCastle/Healthcheck/HotFixCollector.cs b/PingCastle/Healthcheck/HotFixCollector.cs
@@ -8,13 +8,11 @@ namespace PingCastle.Healthcheck
 {
     public class HotFixCollector : IHotFixCollector
     {
-        private readonly IHotfixService _cimService;
-        private readonly IHotfixService _wmiService;
+        private readonly IHotfixService _hotfixService;
 
-        public HotFixCollector(IHotfixService cimService, IHotfixService wmiService)
+        public HotFixCollector(IHotfixService hotfixService)
         {
-            _cimService = cimService ?? throw new System.ArgumentNullException(nameof(cimService));
-            _wmiService = wmiService ?? throw new System.ArgumentNullException(nameof(wmiService));
+            _hotfixService = hotfixService ?? throw new System.ArgumentNullException(nameof(hotfixService));
         }
 
         public HotfixQueryResult GetInstalledHotfixes(string hostName, bool isPrivilegedMode = true, CancellationToken cancellationToken = default)
@@ -35,36 +33,17 @@ public HotfixQueryResult GetInstalledHotfixes(string hostName, bool isPrivileged
                 return new HotfixQueryResult { Status = HotfixQueryStatus.ConnectionFailed, FailureReason = "Invalid hostname" };
             }
 
-            var cimResult = _cimService.TryGetInstalledHotfixes(hostName, ui, cancellationToken);
-            if (cimResult.Status == HotfixQueryStatus.Success)
+            var result = _hotfixService.TryGetInstalledHotfixes(hostName, ui, cancellationToken);
+            if (result.Status == HotfixQueryStatus.Success)
             {
-                Trace.WriteLine($"CIM succeeded for {hostName.SanitizeForLog()} with {cimResult.KbNumbers.Count} hotfixes");
-                return cimResult;
+                Trace.WriteLine($"Retrieved {result.KbNumbers.Count} hotfixes from {hostName.SanitizeForLog()}");
             }
-
-            Trace.WriteLine($"CIM failed for {hostName.SanitizeForLog()} with status {cimResult.Status}: {cimResult.FailureReason}");
-
-            if (cimResult.Status == HotfixQueryStatus.AccessDenied)
-            {
-                Trace.WriteLine($"Skipping WMI fallback for {hostName.SanitizeForLog()} - same credentials would fail");
-                return cimResult;
-            }
-
-            if (cimResult.Status == HotfixQueryStatus.ConnectionFailed || cimResult.Status == HotfixQueryStatus.Timeout || cimResult.Status == HotfixQueryStatus.NoResults)
+            else
             {
-                Trace.WriteLine($"Attempting WMI fallback for {hostName.SanitizeForLog()}");
-                var wmiResult = _wmiService.TryGetInstalledHotfixes(hostName, ui, cancellationToken);
-                if (wmiResult.Status == HotfixQueryStatus.Success)
-                {
-                    Trace.WriteLine($"WMI fallback succeeded for {hostName.SanitizeForLog()} with {wmiResult.KbNumbers.Count} hotfixes");
-                    return wmiResult;
-                }
-
-                Trace.WriteLine($"WMI fallback also failed for {hostName.SanitizeForLog()} with status {wmiResult.Status}: {wmiResult.FailureReason}");
-                return wmiResult;
+                Trace.WriteLine($"Hotfix detection failed for {hostName.SanitizeForLog()} with status {result.Status}: {result.FailureReason}");
             }
 
-            return cimResult;
+            return result;
         }
     }
 }
diff --git a/PingCastle/Healthcheck/HotFixCollectorFactory.cs b/PingCastle/Healthcheck/HotFixCollectorFactory.cs
@@ -4,12 +4,8 @@ namespace PingCastle.Healthcheck;
 
 public static class HotFixCollectorFactory
 {
-    /// <summary>
-    /// Creates a new instance of HotFixCollector with CIM as primary and WMI as fallback.
-    /// </summary>
-    /// <returns>A new HotFixCollector instance</returns>
     public static HotFixCollector Create()
     {
-        return new HotFixCollector(new CimHotfixHelper(), new WmiHotfixHelper());
+        return new HotFixCollector(new WmiHotfixHelper());
     }
-}
+}
diff --git a/PingCastle/misc/CimHotfixHelper.cs b/PingCastle/misc/CimHotfixHelper.cs
diff --git a/PingCastle/misc/WmiHotfixHelper.cs b/PingCastle/misc/WmiHotfixHelper.cs
@@ -1,6 +1,7 @@
 using System;
 using System.Collections.Generic;
 using System.Diagnostics;
+using System.Globalization;
 using System.Management;
 using System.Text.RegularExpressions;
 using System.Threading;
@@ -146,7 +147,8 @@ private bool TryGetHotfixesFromQuickFixEngineering(string hostName, HotfixQueryR
         private static void CheckPostAlertQualityUpdate(ManagementObject obj, HotfixQueryResult result, DateTime alertCutoff)
         {
             var description = obj["Description"]?.ToString();
-            if (!string.Equals(description, "Update", StringComparison.OrdinalIgnoreCase))
+            if (!string.Equals(description, "Update", StringComparison.OrdinalIgnoreCase) &&
+                !string.Equals(description, "Security Update", StringComparison.OrdinalIgnoreCase))
             {
                 return;
             }
@@ -157,7 +159,7 @@ private static void CheckPostAlertQualityUpdate(ManagementObject obj, HotfixQuer
                 return;
             }
 
-            if (DateTime.TryParse(installedOnStr, out var installedOn) && installedOn > alertCutoff)
+            if (DateTime.TryParse(installedOnStr, CultureInfo.InvariantCulture, DateTimeStyles.None, out var installedOn) && installedOn > alertCutoff)
             {
                 result.MostRecentQualityUpdateDate = installedOn;
             }
diff --git a/PingCastleCommon/Scanners/KerberosCheckSumVulnerabilityScanner.cs b/PingCastleCommon/Scanners/KerberosCheckSumVulnerabilityScanner.cs
@@ -188,6 +188,10 @@ public ScanResult Scan(
             {
                 var hotfixResult = RetrieveInstalledHotfixes(computerName, cancellationToken);
                 installedHotfixes = hotfixResult.KbNumbers;
+                if (mostRecentQualityUpdateDate == null)
+                {
+                    mostRecentQualityUpdateDate = hotfixResult.MostRecentQualityUpdateDate;
+                }
             }
 
             return AnalyzeVulnerability(operatingSystem, installedHotfixes, startupTime.Value, mostRecentQualityUpdateDate);
@@ -264,28 +268,7 @@ private ScanResult AnalyzeVulnerability(
                     };
                 }
 
-                bool isCritical = IsCriticalOperatingSystem(operatingSystem);
-                string severity = isCritical ? "Critical" : "Yes";
-                Trace.WriteLine($"[MS14-068] FAIL - Patch not found in installed hotfixes");
-                return new ScanResult
-                {
-                    IsVulnerable = true,
-                    Reason = ReasonPatchNotInstalled,
-                    OsVersion = operatingSystem,
-                    SeverityLevel = severity
-                };
-            }
-
-            if (mostRecentQualityUpdateDate.HasValue && mostRecentQualityUpdateDate.Value > AlertDate)
-            {
-                Trace.WriteLine($"[MS14-068] PASS - Date fallback ({mostRecentQualityUpdateDate.Value:yyyy-MM-dd} > {AlertDate:yyyy-MM-dd})");
-                return new ScanResult
-                {
-                    IsVulnerable = false,
-                    Reason = $"Quality update dated {mostRecentQualityUpdateDate.Value:yyyy-MM-dd} is after MS14-068 release",
-                    OsVersion = operatingSystem,
-                    SeverityLevel = "No"
-                };
+                Trace.WriteLine($"[MS14-068] KB check inconclusive - no matching KB in list");
             }
 
             bool isCriticalFinalCheck = IsCriticalOperatingSystem(operatingSystem);
diff --git a/PingCastleCommon/Scanners/SmbHotFixVulnerabilityScanner.cs b/PingCastleCommon/Scanners/SmbHotFixVulnerabilityScanner.cs

Original file line number	Diff line number	Diff line change
`@@ -8,13 +8,11 @@ namespace PingCastle.Healthcheck`
`8`	`8`	`{`
`9`	`9`	`public class HotFixCollector : IHotFixCollector`
`10`	`10`	`{`
`11`		`- private readonly IHotfixService _cimService;`
`12`		`- private readonly IHotfixService _wmiService;`
	`11`	`+ private readonly IHotfixService _hotfixService;`
`13`	`12`
`14`		`- public HotFixCollector(IHotfixService cimService, IHotfixService wmiService)`
	`13`	`+ public HotFixCollector(IHotfixService hotfixService)`
`15`	`14`	`{`
`16`		`- _cimService = cimService ?? throw new System.ArgumentNullException(nameof(cimService));`
`17`		`- _wmiService = wmiService ?? throw new System.ArgumentNullException(nameof(wmiService));`
	`15`	`+ _hotfixService = hotfixService ?? throw new System.ArgumentNullException(nameof(hotfixService));`
`18`	`16`	`}`
`19`	`17`
`20`	`18`	`public HotfixQueryResult GetInstalledHotfixes(string hostName, bool isPrivilegedMode = true, CancellationToken cancellationToken = default)`
`@@ -35,36 +33,17 @@ public HotfixQueryResult GetInstalledHotfixes(string hostName, bool isPrivileged`
`35`	`33`	`return new HotfixQueryResult { Status = HotfixQueryStatus.ConnectionFailed, FailureReason = "Invalid hostname" };`
`36`	`34`	`}`
`37`	`35`
`38`		`- var cimResult = _cimService.TryGetInstalledHotfixes(hostName, ui, cancellationToken);`
`39`		`- if (cimResult.Status == HotfixQueryStatus.Success)`
	`36`	`+ var result = _hotfixService.TryGetInstalledHotfixes(hostName, ui, cancellationToken);`
	`37`	`+ if (result.Status == HotfixQueryStatus.Success)`
`40`	`38`	`{`
`41`		`- Trace.WriteLine($"CIM succeeded for {hostName.SanitizeForLog()} with {cimResult.KbNumbers.Count} hotfixes");`
`42`		`- return cimResult;`
	`39`	`+ Trace.WriteLine($"Retrieved {result.KbNumbers.Count} hotfixes from {hostName.SanitizeForLog()}");`
`43`	`40`	`}`
`44`		`-`
`45`		`- Trace.WriteLine($"CIM failed for {hostName.SanitizeForLog()} with status {cimResult.Status}: {cimResult.FailureReason}");`
`46`		`-`
`47`		`- if (cimResult.Status == HotfixQueryStatus.AccessDenied)`
`48`		`- {`
`49`		`- Trace.WriteLine($"Skipping WMI fallback for {hostName.SanitizeForLog()} - same credentials would fail");`
`50`		`- return cimResult;`
`51`		`- }`
`52`		`-`
`53`		`- if (cimResult.Status == HotfixQueryStatus.ConnectionFailed \|\| cimResult.Status == HotfixQueryStatus.Timeout \|\| cimResult.Status == HotfixQueryStatus.NoResults)`
	`41`	`+ else`
`54`	`42`	`{`
`55`		`- Trace.WriteLine($"Attempting WMI fallback for {hostName.SanitizeForLog()}");`
`56`		`- var wmiResult = _wmiService.TryGetInstalledHotfixes(hostName, ui, cancellationToken);`
`57`		`- if (wmiResult.Status == HotfixQueryStatus.Success)`
`58`		`- {`
`59`		`- Trace.WriteLine($"WMI fallback succeeded for {hostName.SanitizeForLog()} with {wmiResult.KbNumbers.Count} hotfixes");`
`60`		`- return wmiResult;`
`61`		`- }`
`62`		`-`
`63`		`- Trace.WriteLine($"WMI fallback also failed for {hostName.SanitizeForLog()} with status {wmiResult.Status}: {wmiResult.FailureReason}");`
`64`		`- return wmiResult;`
	`43`	`+ Trace.WriteLine($"Hotfix detection failed for {hostName.SanitizeForLog()} with status {result.Status}: {result.FailureReason}");`
`65`	`44`	`}`
`66`	`45`
`67`		`- return cimResult;`
	`46`	`+ return result;`
`68`	`47`	`}`
`69`	`48`	`}`
`70`	`49`	`}`
Original file line number	Diff line number	Diff line change
`@@ -4,12 +4,8 @@ namespace PingCastle.Healthcheck;`
`4`	`4`
`5`	`5`	`public static class HotFixCollectorFactory`
`6`	`6`	`{`
`7`		`- /// <summary>`
`8`		`- /// Creates a new instance of HotFixCollector with CIM as primary and WMI as fallback.`
`9`		`- /// </summary>`
`10`		`- /// <returns>A new HotFixCollector instance</returns>`
`11`	`7`	`public static HotFixCollector Create()`
`12`	`8`	`{`
`13`		`- return new HotFixCollector(new CimHotfixHelper(), new WmiHotfixHelper());`
	`9`	`+ return new HotFixCollector(new WmiHotfixHelper());`
`14`	`10`	`}`
`15`		`-}`
	`11`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,7 @@`
`1`	`1`	`using System;`
`2`	`2`	`using System.Collections.Generic;`
`3`	`3`	`using System.Diagnostics;`
	`4`	`+using System.Globalization;`
`4`	`5`	`using System.Management;`
`5`	`6`	`using System.Text.RegularExpressions;`
`6`	`7`	`using System.Threading;`
`@@ -146,7 +147,8 @@ private bool TryGetHotfixesFromQuickFixEngineering(string hostName, HotfixQueryR`
`146`	`147`	`private static void CheckPostAlertQualityUpdate(ManagementObject obj, HotfixQueryResult result, DateTime alertCutoff)`
`147`	`148`	`{`
`148`	`149`	`var description = obj["Description"]?.ToString();`
`149`		`- if (!string.Equals(description, "Update", StringComparison.OrdinalIgnoreCase))`
	`150`	`+ if (!string.Equals(description, "Update", StringComparison.OrdinalIgnoreCase) &&`
	`151`	`+ !string.Equals(description, "Security Update", StringComparison.OrdinalIgnoreCase))`
`150`	`152`	`{`
`151`	`153`	`return;`
`152`	`154`	`}`
`@@ -157,7 +159,7 @@ private static void CheckPostAlertQualityUpdate(ManagementObject obj, HotfixQuer`
`157`	`159`	`return;`
`158`	`160`	`}`
`159`	`161`
`160`		`- if (DateTime.TryParse(installedOnStr, out var installedOn) && installedOn > alertCutoff)`
	`162`	`+ if (DateTime.TryParse(installedOnStr, CultureInfo.InvariantCulture, DateTimeStyles.None, out var installedOn) && installedOn > alertCutoff)`
`161`	`163`	`{`
`162`	`164`	`result.MostRecentQualityUpdateDate = installedOn;`
`163`	`165`	`}`