SMB Remote Code Execution Vulnerability

14/05/2017 15:15:21
SMB Remote Code Execution Vulnerability

SMB Remote Code Execution Vulnerability

Summary

In April, the Equation Group released data of three folders, as shown below: 

image.png

The windows folder contains some tools and vulnerability exploitation programs against the windows operating system. The Eternal Blue is in the windows folder and is name ETERNALBLUE.

Eternal Blue attacks Windows operating systems with port 445 enabled and escalate to system privileges. 

SMB(Microsoft Server Message Block Protocol) is a file sharing protocol for Microsoft. It is enabled by default in most Windows operating systems for such purposes of sharing files across computers, sharing printers across different computers, etc. 

445 port is a TCP port, which provides file or printer sharing service in the local area network. Attackers can establish connection with port 445 and can obtain all sorts of shared information in the designated local area network. 

Solution

1.Auto update or download patch for MS17-010. Addresses for patches are as follows: 

Windows Vista, Windows Server 2008    

http://www.catalog.update.microsoft.com/search.aspx?q=4012598

Windows 7, Windows Server 2008 R2     

http://www.catalog.update.microsoft.com/search.aspx?q=4012212

Windows 8.1, Windows Server 2012 R2   

http://www.catalog.update.microsoft.com/search.aspx?q=4012213

Windows RT 8.1

http://www.catalog.update.microsoft.com/search.aspx?q=4012216

Windows Server 2012 

http://www.catalog.update.microsoft.com/search.aspx?q=4012214

2.As for operating systems which do not have patches, Windows XP and Windows 2003, you may disable port 445 of SMB service. 

https://jingyan.baidu.com/article/d621e8da0abd192865913f1f.html

3.Sangfor NGFW has released security patches to defend against SMB vulnerability one month ago. You may upgrade to version 20170415 or above. 


Our Social Networks

Global Service Center:

COPYRIGHT © 2000-2017 SANGFOR TECHNOLOGIES INC. ALL RIGHTS RESERVED.