How To Deal With Exploit EternalBlue (CVE-2017-0146/MS17-010)

Introduction

In the year 2017 a critical vulnerability named EternalBlue was publicly disclosed in Microsoft Windows OS, which allowed the intruder to remotely and with connection on Port 445 (SMB) run their desired code on the vulnerable system. This vulnerability has been used by the CIA before this time, publically disclose and its code for use was given to malware writers.

Whereas Microsoft released the patch for vulnerable Windows at that time and even after a while offered patches out of turn for Windows XP and 2003 which was expired; but due to accessibility of the code and not installing patch by most of the users, we continue to see widespread attack through this vulnerability and most malware and worms of the network is also use this method to release themselves.

Solutions

The following will be discussed below:

  1. How to test our system/network for vulnerability
  2. The main solutions to fixing the vulnerability
  3. Temporary and alternative solutions
  4. How to reduce risk in a network
This vulnerability was detected and prevented in Padvish IPS as WannaCry and CVE.2017.0146.

Vulnerability test- is my system vulnerable?

Method for testing a system

You can use the following script to test system vulnerability:

  1. Download the check-eternalblue.ps1 script (this script is provided by Microsoft).
  2. After executing, the green message of “System is patched” shows that your system is not vulnerable to this exploit.
    • This script just checks the installation of this patch, always try to update your system.
  3. But if you view the red message of “System is Not Patched”, it is necessary to refer to solutions and download and install the update.
To run this script you need to have Powershell2.0 or higher on your system. To test older Windows use the other said methods from the Microsoft site.

Testing the whole network (for network managers)

In this method, all network systems will be tested for existence/non-existence vulnerability. In this study, the NMap script has been used for scanning vulnerability:

  1. Choose a system that has access to Port 445 of the other system.
  2. Download and install Nmap software (version 7.70 or higher)
  3. Run the following order in the Windows command line:
    • Nmap -Pn -sS -p445 –open –max-hostgroup 3 –script smb-vuln-ms17-010.nse –script-args vulns.short -v <ip-address-range> | findstr “VULNERABLE smb-vuln-ms17-010: report” 
    • Replace <ip-address-range> with your desired IP range such as (192.168.1.0/24)

Note that in this method you do a simulated pre-attack that may be detected and prevented by the security systems in your network.

As a result before execution, it is necessary that your firewall and network setting giving you this access. Also if you have IPS in your network or your anti-virus is equipped with this feature, for having certain results and preventing missing systems it is necessary to set them in a way that lets the attack from the chosen system happen.

The original solution against infection (installing update)

If your system is vulnerable, it is necessary to update your Windows.

Naturally, we recommended that always install all security patches and being updated. The best method for doing this is to enable the Windows automatic update. But for users which are not connected to the internet, or for any reason their Windows update is not enabled, the following method is recommended to install the update:

  1. Refer to MS17-010 on the Microsoft website.
  2. Choose your Windows version number from the provided table carefully.
    • For example, if you have Windows 10, you should choose the proper packet based on the system is 32 or 64 bit and the update is 1511 or 1607. You can view your Windows version by pressing Win+R simultaneously and run the msinfo32 application.
    • But if you are suspicious about your Windows version, you can download several updates and try them all.
  3. After finding your Windows version number, click on it (for example Windows 7 for 32-bit systems service pack 1).
  4. On the new page, find your Windows name again and download the relevant item.
  5. Then install the file on your Windows and certainly restart the system, if necessary.
  6. Note: to update Windows 8, XP, and Server 2003 use this link.

Temporary and alternative solutions

If you cannot install the patch, you can temporarily use the following method to fix the risk of infection.

How to close Window File Sharing

The proper method is to update your Windows. But for people who cannot update their Windows for any reason, closing File Sharing is a temporary option.

Indeed, naturally, you will lose some kinds of Windows capabilities, but for many users these kinds of capabilities are usable. Even if you install the update, it is good to turn off the Windows File Sharing even if you do not use it.

What is this mechanism?

This mechanism is used for transferring files between two systems in the network. For instance, if you want to access your system from another system, using File Sharing or Shared Folder is the first method that comes to mind. This mechanism also is using for sharing printers in the network, so other computers can use your system printer.

Note that if this option is disabled, you can view other system printers and folders again and used them, but others are unable to view shared folders and printers on your system.

If you use none of these, you can disable the File Sharing as follows:

  • For Windows XP: go to the Windows control panel and choose the Network connection
  • For Windows 7 and higher: open the start menu and look for the View Network Connections option and open it.
  • In the opened window, right-click on each active network card and choose properties.
  • In the next window, disable File and Printer Sharing.

Note that disabling this option is a temporary option and you must update your system.

How to disable SMBv1 protocol

Instead of disabling the File Sharing completely, you can only close the version 1 protocol that is relevant to this vulnerability. By this method, only Windows Server 2003, XP, and before that will lose the File and Printer Sharing connection. Also, in case there is an SMB connection with old Linux systems, this connection may be disconnected.

  1. Open regedit program
  2. Find and open HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
  3. In the right section, look for the SMB1 phrase and if it does not exist, create a new value with the same name of DWORD type.
  4. Set its value as (0)
  5. Reset the system (no changes will be applied until system reset).

This can be done by Group Policy from the path Computer Configuration\Preferences folder\Windows Settings\Registry and it is enough to set the registry key as above. Note that in this method, you must first make sure of applying Group Policy to the client, and then the system will be reset so the changes are applied. (The typical span of Group Policy is every twenty minutes).

How to reduce risk in a network

To reduce the risk of vulnerability, in general, it is recommended to do as follows in the level of network infrastructure:

  1. Perform VLAN classification of clients, in a way that clients of each department will be in a special VLAN according to the necessary access level.
  2. Also performing VLAN classification of servers, in a way that servers with different applications be in separate sections. Especially, internet-connected servers and not connected servers are separated and also accessible servers from the internet are added in different VLAN.
  3. Adjusting network policies, in a way that irrelevant clients do not see each other.
  4. Adjusting policies in a way that connections between VLANs just perform based on necessary port and protocol and other protocols be closed.
  5. Installing an anti-virus with the IPS application and ensuring its performance in the network.
  6. Follow-up reporting from anti-virus systems to detect infected clients and disinfect them. ( in Padvish console you can find the attackers IP list by Custom Report\IDS-Top Sources of Attack and find the0)
This vulnerability is detected and prevented in Padvish IPS as WannaCry and CVE.2017.0146