Just as the planet's medical practitioners are battling an
epidemic, security practitioners also find themselves struggling to prevent the
spread of harmful viruses. (How's that for a timely analogy? Too soon?)
Businesses that run Windows—so, pretty much every company around the world—may be faced with such a situation soon. This morning, Microsoft published a bulletin, about a vulnerability that some researchers have nicknamed "EternalDarkness," besmirching the name of the excellent 2002 psychological thriller video game for the Nintendo GameCube.
Sorry, back to the vulnerability. The issue is present in
Windows services that use the SMBv3 protocol to exchange files and perform
administrative functions. If you have a Windows machine, it's really hard to
operate without this service running and available to your local network
segment.
An unprecedented vulnerability
This vulnerability is startling for a few reasons. One,
there's currently no patch available, although I'm sure Microsoft is working to
develop one as I write this. Two, both SMBv3 servers and clients are vulnerable. You can attack Windows machines both by
simply sending unauthenticated exploit code to a listening service, and by
convincing a user to open your malicious file share, an unprecedented method of
attacking this service.
Three, we just got done telling everyone that SMBv1 and
SMBv2 were unsafe for use and that SMBv3 is the best alternative (and to date
there's no SMBv4, sadly). Microsoft has published a workaround in their advisory:
disabling compression on SMBv3, which mitigates the server-side issue but won't
address the client-side issue. Note that every Windows machine—workstation or
server—runs both the client and server.
We cannot overstate the severity of this issue. While no
public exploit code exists yet, it will soon. Once it does, it will be widely
distributed and then used by ransomware authors, cyber criminals, and
nation-state attackers.
What do we do when there’s no patch?
So what do we do as practitioners when there's a
vulnerability with no patch? We mitigate with compensating controls:
- If you have endpoint protection solutions on
your Windows workstations and servers, and they are capable of performing
host-based intrusion prevention (for example, filtering malicious network
traffic to the machine), ask the vendor to develop a signature to stop this
exploit. Once it’s available, immediately distribute the signature to your
entire environment. - Monitor for suspicious traffic at your
perimeter. - Block unnecessary traffic between your network
segments. - Use a host-based firewall to filter SMB traffic
(port 445/TCP) between machines that don't need to talk to each other, like
other workstations. Better still, only allow 445/TCP traffic from workstations
to necessary servers (such as domain controllers and file servers), and from
servers to other necessary servers (application servers that require the
protocol to talk to each other). - Most importantly, patch! Slam that F5 key on the
Microsoft advisory
website until you see a patch, and then distribute immediately to your
environment.
For more information on how CBTS can help keep your business secure, visit: Security
Just like with COVID-19, with a little discipline, focus, and smarts we can all get through this in one piece!