Kaspersky Threats

Detect date

?

03/14/2017

Severity

?

Critical

Description

Multiple serious vulnerabilities have been found in Microsoft Server Message Block 1.0(SMBv1). Malicious users can exploit these vulnerabilities to execute arbitrary code or obtain sensitive information.

Below is a complete list of vulnerabilities:

An improper handling of certain requests can be exploited remotely by an unauthenticated attacker via specially designed packets to execute code on the target server;
An improper handling of certain requests can be exploited remotely by an unauthenticated attacker via specially designed packets to execute code to obtain sensitive information from the server.

Technical details

Successful exploitation of these vulnerabilities can trigger WannaCry attack.

In case of WannaCry attack, EternalBlue modules are used to begin exploiting SMB vulnerabilities; if an attempt of exploit is successful, the DoblePulsar backdoor is used to install the malware.

Both SMBv1 and SMBv2 packets can be used in WannaCry attack, so disabling them can prevent the operational system from being infected. It is highly recommended to disable SMBv1, because this old protocol doesn’t have any significant impacts on modern operational systems. Disabling SMBv2 can cause serious problems.

For more details see Securelist article.

Users of Windows XP, Windows 8 and Windows server 2003 should read Customer Guidance for WannaCrypt attacks from Microsoft.

Note that Windows 10 and Windows Server 2016 are not affected by the WannaCry attack.

Affected products

Microsoft Windows XP Service Pack 2
Microsoft Windows XP Service Pack 3
Microsoft Windows XP Embedded Service Pack 3
Microsoft Windows Vista Service Pack 2
Microsoft Windows 7 Service Pack 1
Microsoft Windows 8
Microsoft Windows 8.1
Microsoft Windows RT 8.1
Microsoft Windows 10
Microsoft Windows Server 2003 Service Pack 2
Microsoft Windows Server 2008 Service Pack 2
Microsoft Windows Server 2008 R2 Service Pack 1
Microsoft Windows Server 2012
Microsoft Windows Server 2012 R2
Microsoft Windows Server 2016

Solution

Install necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)

Original advisories

Customer Guidance for WannaCrypt attacks
Securelist
MS17-010
CVE-2017-0143
CVE-2017-0144
CVE-2017-0145
CVE-2017-0146
CVE-2017-0147
CVE-2017-0148

Impacts

?

ACE

[?]

OSI

[?]

DoS

[?]

SB

[?]

PE

[?]

CVE-IDS

?

CVE-2017-01439.3Critical
CVE-2017-01449.3Critical
CVE-2017-01459.3Critical
CVE-2017-01469.3Critical
CVE-2017-01474.3Critical
CVE-2017-01489.3Critical

Microsoft official advisories

Microsoft Security Update Guide

KB list

4012217
4012215
4012216
4012606
4013198
4013429
4012212
4012214
4012213
4012598

Detect date ?	03/14/2017
Severity ?	Critical
Description	Multiple serious vulnerabilities have been found in Microsoft Server Message Block 1.0(SMBv1). Malicious users can exploit these vulnerabilities to execute arbitrary code or obtain sensitive information. Below is a complete list of vulnerabilities: An improper handling of certain requests can be exploited remotely by an unauthenticated attacker via specially designed packets to execute code on the target server; An improper handling of certain requests can be exploited remotely by an unauthenticated attacker via specially designed packets to execute code to obtain sensitive information from the server. Technical details Successful exploitation of these vulnerabilities can trigger WannaCry attack. In case of WannaCry attack, EternalBlue modules are used to begin exploiting SMB vulnerabilities; if an attempt of exploit is successful, the DoblePulsar backdoor is used to install the malware. Both SMBv1 and SMBv2 packets can be used in WannaCry attack, so disabling them can prevent the operational system from being infected. It is highly recommended to disable SMBv1, because this old protocol doesn’t have any significant impacts on modern operational systems. Disabling SMBv2 can cause serious problems. For more details see Securelist article. Users of Windows XP, Windows 8 and Windows server 2003 should read Customer Guidance for WannaCrypt attacks from Microsoft. Note that Windows 10 and Windows Server 2016 are not affected by the WannaCry attack.
Affected products	Microsoft Windows XP Service Pack 2 Microsoft Windows XP Service Pack 3 Microsoft Windows XP Embedded Service Pack 3 Microsoft Windows Vista Service Pack 2 Microsoft Windows 7 Service Pack 1 Microsoft Windows 8 Microsoft Windows 8.1 Microsoft Windows RT 8.1 Microsoft Windows 10 Microsoft Windows Server 2003 Service Pack 2 Microsoft Windows Server 2008 Service Pack 2 Microsoft Windows Server 2008 R2 Service Pack 1 Microsoft Windows Server 2012 Microsoft Windows Server 2012 R2 Microsoft Windows Server 2016
Solution	Install necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)
Original advisories	Customer Guidance for WannaCrypt attacks Securelist MS17-010 CVE-2017-0143 CVE-2017-0144 CVE-2017-0145 CVE-2017-0146 CVE-2017-0147 CVE-2017-0148
Impacts ?	ACE [?] OSI [?] DoS [?] SB [?] PE [?]
CVE-IDS ?	CVE-2017-01439.3Critical CVE-2017-01449.3Critical CVE-2017-01459.3Critical CVE-2017-01469.3Critical CVE-2017-01474.3Critical CVE-2017-01489.3Critical
Microsoft official advisories	Microsoft Security Update Guide
KB list	4012217 4012215 4012216 4012606 4013198 4013429 4012212 4012214 4012213 4012598