ETERNALBLUE: Windows SMBv1 Exploit (Patched)
Microsoft released a blog post outlining which patches address which vulnerability exploited by various "Shadowbroker" exploits. According to the table released by Microsoft, "ETERNALBLUE" was fixed by MS17-010 released in March. Interestingly, MS17-010 listed all vulnerabilities as "not used in exploits". Microsofts acknowledgement page does not list a source for the vulnerability disclosure.
We decided to keep our "Infocon" at Green in light fo the availability of a patch.
To protect yourself from this exploit, you can also disable SMBv1 (see this KB article by Microsoft about details), and make sure you are blocking port 445.
A snort rule for ETERNALBLUE was released by Cisco as part of the "registered" rules set. Check for SID 41978.
-----
Shadowbroker, as part of the set of exploits it collected and had offered for auction, today released a number of Windows-related exploits. One that looks in particular interesting as it promises an exploit via SMB for Windows hosts up to Windows 8 and Windows Server 2012, was published under the name "ETERNALBLUE".
Right now, I haven't been able to make it fully work yet, but I was able to collect some packets to a Windows 7 system. The exploit makes by default three attempts to attack a system. An XML file accompanying the exploit allows the attacker to configure various parameters.
In general, an SMB exploit *should* not be all that exciting these days, as blocking port 445 is standard best practice. I am attaching a link to a packet capture below to allow you to analyze it further. In the packet capture, the vulnerable hosts IP address is 10.128.0.243.
After repeated attempts, the Windows 7 host crashed.
pcap: https://isc.sans.edu/diaryimages/eternalblue.pcap
---
Johannes B. Ullrich, Ph.D., Dean of Research, SANS Technology Institute
STI|Twitter|
Comments