Microsoft locks down new vulnerability with EternalBlue echoes

Microsoft is rushing to get in front of a serious ‘wormable’ vulnerability in Microsoft’s Server Message Block 3.1.1 (SMBv3) that could give hackers the ability to remotely execute code on the target SMB server or client due to an error in how it handles compressed data packets.

Details of the vulnerability began to leak on 10 March and came through security supplier partners which get early access to vulnerability information.

This happened the same time as Microsoft published its monthly Patch Tuesday update on 10 March, but the vulnerability was not then mentioned in the update, raising questions among security professionals as to why Redmond did not include it in the monthly round of fixes.

In an advisory note, Microsoft said: “To exploit the vulnerability against an SMB Server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 Server. To exploit the vulnerability against an SMB Client, an unauthenticated attacker would need to configure a malicious SMBv3 Server and convince a user to connect to it.”

Kieran Roberts, head of penetration testing at Bulletproof, said that the vulnerability was particularly serious because the at-risk SMB protocol is the same one that was vulnerable to the EternalBlue exploit that led to the WannaCry ransomware outbreak.

“It appears that this new vulnerability has several of the same hallmarks as EternalBlue. From the information we have, it appears that this new vulnerability is also ‘wormable’ – a worm is a piece of malware that is self-replicating, meaning that it can propagate throughout a network without help from a user. This means that this new vulnerability could result in a resurgence of ransomware attacks such as WannaCry and NotPetya,” he said.

“Currently, Microsoft do not have a patch for this and they have not commented on when one might be available. The only reason we know that this bug exists is because Microsoft included some details about this vulnerability in their Patch Tuesday details, but then they didn’t actually patch the problem.

“I expect this means that they intended to include this fix in the most recent patch, but when they didn’t make the deadline, they forgot to remove the information from the Patch Tuesday notes.”

The vulnerability is already going by a number of different names, including CoronaBlue, DeepBlue 3: Redmond Drift, EternalDarkness, NexternalBlue, and SMBGhost.

Tenable’s principal security engineer Satnam Narang said that comparisons to EternalBlue were certainly apt. “However, there is currently little information available about this new flaw, and the time and effort needed to produce a workable exploit is unknown,” he added.

“At this point, organisations would be wise to review and implement the workarounds Microsoft has provided and begin prioritising patch management for the flaw once patches are released,” he added.

The currently available workaround is to disable SMBv3 compression to block unauthenticated attackers from exploiting the vulnerability. This is a relatively simple matter of inputting a new PowerShell command, and no reboot should be needed, although users should note this workaround does not prevent exploitation of SMB clients.

Users can protect themselves further by blocking TCP port 445 at the enterprise perimeter firewall, which will protect systems behind the firewall from attempts to exploit the vulnerability, although this does not address attacks that might originate from within. Users should also follow existing Microsoft guidelines to prevent SMB traffic from leaving their enterprise environment.

Microsoft will update its advisory when further updates are available, and users can sign up for notifications if they wish. It is likely an out-of-sequence patch will be made available.