A critical Windows flaw with no patch…now what?

Just as the planet’s medical practitioners are battling an epidemic, security practitioners also find themselves struggling to prevent the spread of harmful viruses. (How’s that for a timely analogy? Too soon?)

Businesses that run Windows—so, pretty much every company around the world—may be faced with such a situation soon. This morning, Microsoft published a bulletin, about a vulnerability that some researchers have nicknamed “EternalDarkness,” besmirching the name of the excellent 2002 psychological thriller video game for the Nintendo GameCube.

Sorry, back to the vulnerability. The issue is present in Windows services that use the SMBv3 protocol to exchange files and perform administrative functions. If you have a Windows machine, it’s really hard to operate without this service running and available to your local network segment.

An unprecedented vulnerability

This vulnerability is startling for a few reasons. One, there’s currently no patch available, although I’m sure Microsoft is working to develop one as I write this. Two, both SMBv3 servers and clients are vulnerable. You can attack Windows machines both by simply sending unauthenticated exploit code to a listening service, and by convincing a user to open your malicious file share, an unprecedented method of attacking this service.

Three, we just got done telling everyone that SMBv1 and SMBv2 were unsafe for use and that SMBv3 is the best alternative (and to date there’s no SMBv4, sadly). Microsoft has published a workaround in their advisory: disabling compression on SMBv3, which mitigates the server-side issue but won’t address the client-side issue. Note that every Windows machine—workstation or server—runs both the client and server.

We cannot overstate the severity of this issue. While no public exploit code exists yet, it will soon. Once it does, it will be widely distributed and then used by ransomware authors, cyber criminals, and nation-state attackers.

What do we do when there’s no patch?

So what do we do as practitioners when there’s a vulnerability with no patch? We mitigate with compensating controls:

• If you have endpoint protection solutions on your Windows workstations and servers, and they are capable of performing host-based intrusion prevention (for example, filtering malicious network traffic to the machine), ask the vendor to develop a signature to stop this exploit. Once it’s available, immediately distribute the signature to your entire environment.
• Monitor for suspicious traffic at your perimeter.
• Block unnecessary traffic between your network segments.
• Use a host-based firewall to filter SMB traffic (port 445/TCP) between machines that don’t need to talk to each other, like other workstations. Better still, only allow 445/TCP traffic from workstations to necessary servers (such as domain controllers and file servers), and from servers to other necessary servers (application servers that require the protocol to talk to each other).
• Most importantly, patch! Slam that F5 key on the Microsoft advisory website until you see a patch, and then distribute immediately to your environment.

For more information on how CBTS can help keep your business secure, visit: https://www.cbts.com/infrastructure/security/

Just like with COVID-19, with a little discipline, focus, and smarts we can all get through this in one piece!