EternalBlue

The EternalBlue exploit is a serious exploit leaked by the ShadowBrokers which uses a vulnerability in the popular Server-Message-Block (SMB) version 1 mainly used for providing shared access to files, printers, and serial ports and miscellaneous communications between nodes on a network. It also provides an authenticated inter-process communication mechanism.Most usage of SMB involves computers running Microsoft Windows.

The EternalBlue exploit allows anyone on the Internet to attack open SMB-servers and run arbritrary code of choice. This compromises the complete machine and the data which is stored on it, it also allows complete control over the victims machine and network. An example of this is the WannaCry-ransomware attack which infected over 20.000 machines worldwide by spreading through vulnerable SMB-servers.

Who is vulnerable in practice?

We have tested some of our own services from attacker's view. We attacked ourselves from outside. Without using any privileged information of credentials we were able to infect and completely control the machine, programs and communication.

How to stop this?

As long as the vulnerable version of SMB is in use it can be abused. Patch by Microsoft has been released and now it has to be deployed. Service providers and users have to install the fix as it becomes available for the operating systems, networked appliances and software they use.


Q&A

What is the CVE-2017-0144?

CVE-2017-0144 is the official reference to this bug. CVE (Common Vulnerabilities and Exposures) is the Standard for Information Security Vulnerability Names maintained by MITRE.

Why it is called EternalBlue?

The exploit is called EternalBlue because this is the internal name used by the National Security Agency before it was leaked by the ShadowBrokers-group

What makes EternalBlue unique?

Bugs in single software of library come and go and are fixed by new versions. However this bug has been kept private by the National Security Agency in order to use for surveillance. onsidering the long exposure, ease of exploitation and attacks leaving no trace this exposure should be taken seriously.

Am I affected by the bug?

You are likely to be affected either directly or indirectly. Microsoft Windows is one of the most popular operating systems. Your computer, your company's computer, or even government computers might be using vulnerable SMB-servers.

What versions of Windows are affected?

Status of different versions:

  • Microsoft Windows 8 (without update KB4012598)
  • Microsoft Windows XP SP3 (without update KB4012598)
  • Microsoft Windows Vista (without update KB4012598)
  • Microsoft Windows Server 2008 (without update KB4012598)
  • Microsoft Windows Server 2003 for x64-based Systems (without update KB4012598)
  • Microsoft Windows 8 for x64-based Systems (without update KB4012598)
  • Microsoft Windows XP SP3 for XPe (without update KB4012598)
  • Microsoft Windows Server 2003 (without update KB4012598)
  • Microsoft Windows XP SP2 for x64-based Systems (without update KB4012598)
  • Microsoft Windows Vista for x64-based Systems (without update KB4012598)
  • Microsoft Windows Server 2008 for Itanium-based Systems (without update KB4012598)
  • Microsoft Windows Server 2008 for x64-based Systems (without KB4012598)
  • Microsoft WES09 and POSReady 2009 (without update KB4012598)

Can I detect if someone has exploited this against me?

Exploitation of this bug does not leave any trace of anything abnormal happening to the logs.

Can IDS/IPS detect or block this attack?

Intrusion detection and prevention systems (IDS/IPS) rules to detect the use of affected ports such as 445 for SMB have been developed.

Has this been abused in the wild?

EternalBlue has been used in the wild by the WannaCry-ransomware and the Adylkuzz-malware

Who found EternalBlue?

While it is currently unknown who found the bug behind the EternalBlue exploit, it is sure that it has been used by the National Security Agency according to the ShadowBrokers-group

References


SMBv1 logo is free to use, rights waived via CC0. [download logo in PNG format]

Page updated 2017-05-18 14:00 GMT+1.