Kaushal Varshney

EternalBlue: 1000s of machines still vulnerable

Discussion created by Kaushal Varshney Employee on Jul 15, 2017
Latest reply on Jul 25, 2017 by Evan Dumas

EternalBlue is the a software vulnerability in Microsoft's Windows operating system. It is "Windows SMB Remote Code Execution Vulnerability", and described in CVE-2017-144. The vulnerability exploits Microsoft server message block 1.0 (SMBv1) - a network file sharing protocol. It allows remote attackers to execute arbitrary code via crafted packets, as this vulnerable protocol allows applications on the windows system to read and write to files and request various services that are on same network. This vulnerability become even more lethal with its expose over internet through TCP port 445 - a security research found over a million devices exposing SMB over TCP 445, thus can be attacked from anywhere in the Internet.  

Microsoft issued a critical security bulletin MS17-010 on 14-March-2017, which included patch for EternalBlue and other SMB related CVEs. Even though this security patch for windows was made available long before WannCry and Petya ransomware, but many systems around the world remained unpatched; and hence fallen victim to these ransomware. Even after these security incidents followed by awareness drive, 1000s of machines still vulnerable to SMBv1 exposure. For large organizations with tens of thousands of hosts, it is extremely difficult to find vulnerable hosts - these are the blind spots in a business network. Security admins must continue to regularly scan for EternalBlue vulnerabilities, disable the SMBv1 protocol, and apply latest patches. But there maybe many more unknown vulnerabilities in this or other protocol -  the zero-days. 

Check Point SandBlast Zero-Day protection family of products protects organization against such zero-day attacks at network gateway, on the endpoint, and in the cloud. Learn more at SandBlast Zero-Day Protection | Check Point Software  

Jony Fischbein 

Outcomes