WannaCry Patch for WPT Agents

Hi Pat

We use WebPageTest Private Instance at our organisation (such a great tool it would be silly not to). We are using the latest version of Private Instance (3.0) which creates test agents on demand and auto updates itself. In light of recent Windows threat are you expecting to upgrade the amis to get them patched up in near or distant future?

I know WebPageTest Agents are isolated and stateless windows machines and so long as we have proper firewall rules in place I can’t think of any scenarios where
a) being locked out from web page test agent or
b) test agent can be used to infect another machine

would not be a concern especially when they get autoscaled (down) eventually. So only reason I ask this is to satisfy our security manager.

I may update the AMI’s to get updates and in particular to update the root certificate stores but not specifically for WannaCrypt. The agents don’t need SMB access of any kind and really don’t need inbound connections and by default should be launched with firewall rules that don’t allow any external access at all (only outbound requests). They are also configured so that the only things active on the interface are IPv4 and dummynet (though not sure that not having file sharing enabled makes a difference).

Unless you explicitly open inbound ports for SMB on your agents there should be no infection vector.

If they do get infected, there’s nothing in the config to get them to not spread the worm.

As far as operation goes, I’m not sure what it would do to a running agent if it got compromised. As best as I can tell, tests would probably continue to run and may even work if the temporary zip file and images (for the filmstrip) don’t get encrypted before they get uploaded.