Just as the planet’s medical practitioners are battling an epidemic, security practitioners also find themselves struggling to prevent the spread of harmful viruses. (How’s that for a timely analogy? Too soon?)
Businesses that run Windows—so, pretty much every company around the world—may be faced with such a situation soon. This morning, Microsoft published a bulletin, about a vulnerability that some researchers have nicknamed “EternalDarkness,” besmirching the name of the excellent 2002 psychological thriller video game for the Nintendo GameCube.
Sorry, back to the vulnerability. The issue is present in Windows services that use the SMBv3 protocol to exchange files and perform administrative functions. If you have a Windows machine, it’s really hard to operate without this service running and available to your local network segment.
This vulnerability is startling for a few reasons. One, there’s currently no patch available, although I’m sure Microsoft is working to develop one as I write this. Two, both SMBv3 servers and clients are vulnerable. You can attack Windows machines both by simply sending unauthenticated exploit code to a listening service, and by convincing a user to open your malicious file share, an unprecedented method of attacking this service.
Three, we just got done telling everyone that SMBv1 and SMBv2 were unsafe for use and that SMBv3 is the best alternative (and to date there’s no SMBv4, sadly). Microsoft has published a workaround in their advisory: disabling compression on SMBv3, which mitigates the server-side issue but won’t address the client-side issue. Note that every Windows machine—workstation or server—runs both the client and server.
We cannot overstate the severity of this issue. While no public exploit code exists yet, it will soon. Once it does, it will be widely distributed and then used by ransomware authors, cyber criminals, and nation-state attackers.
So what do we do as practitioners when there’s a vulnerability with no patch? We mitigate with compensating controls:
For more information on how CBTS can help keep your business secure, visit: https://www.cbts.com/infrastructure/security/
Just like with COVID-19, with a little discipline, focus, and smarts we can all get through this in one piece!