Microsoft patch legacy systems against further Shadow Brokers exploits

June 27, 2017 The Editors

Microsoft Security Advisory 4025685 [1] was released on Tuesday 13 June 2017 and quickly gathered a large amount of attention for fixing a significant number of SMB exploits in supported versions of Windows and for Microsoft's decision, once again, to provide patches for now-unsupported versions of their operating systems.

While Microsoft rate the SMB vulnerabilities as Important rather than Critical, it should be borne in mind that vulnerabilities within network services such as these are inherently 'wormable' as demonstrated by WannaCry's rapid spread via the exploitation of an SMB vulnerability just last month (see https://blogs.forcepoint.com/security-labs/wannacry-post-outbreak-analysis for a breakdown of how this propagation worked). This type of propagation method is particularly effective once malware is present within organisations, as systems such as firewalls and intrusion prevention systems are typically deployed on the boundary and are rarely used to monitor and block traffic between internal devices.

Older Versions & The Shadow Brokers Exploits

As noted above, Microsoft have repeated last months unusual decision to provide a patch for versions of their operating systems no longer in support including Windows XP, Windows Server 2003, and Windows Vista. Again, this decision is likely in part down to the requirement to patch older systems such as these against the MS17-010 SMB vulnerability (EternalBlue) during last month's WannaCry outbreak.

However, also patched on these older systems are the three remaining exploits previously released by the Shadow Brokers: EnglishmanDentist (CVE-2017-8487), EsteemAudit (CVE-2017-0176), and ExplodingCan (CVE-2017-7269). Microsoft had previously left these vulnerabilities un-patched as they were found not to affect any currently support versions of Windows.

Comment: The reason for patching these vulnerabilities and further rolling a number of other patches up for older platforms is unclear and represents an historically unusual decision, potentially suggesting that Microsoft have reason to believe that malicious actors are planning a campaign using one of the three leaked vulnerabilities listed above. While critical systems in major organisations are unlikely to be running on older versions of Windows, compromised systems are frequently used as staging points and relays in larger scale attacks.

The ExplodingCan exploit, for example, allows remote code execution on servers running IIS6.0 (typically Windows Server 2003 systems) with WebDAV enabled. Research conducted in March 2017 [2] suggested that approximately 60,000 devices globally are likely vulnerable to this exploit. With exploit code for this particular vulnerability having been published around the same time, this vulnerability presents a significant attack surface, especially for an actor seeking to build infrastructure for attacks against more valuable targets.

Conclusion

While there is no currently active attack on the scale of WannaCry, recommendations are in line with the advice given during the earlier outbreak:

  • Ensure that these and any other security updates are installed in a timely manner - it should be borne in mind that a patch for the vulnerability used by WannaCry had been available for nearly eight weeks at the time of the outbreak. Note that older systems for which patches have been provided but which are outside of Microsoft's official support period will not automatically update and require manual installation of the patches.
  • Ensure that you have email and web security that can block malicious emails, block intermediate download stages with Real Time Security Signatures (RTSS), and provide URL sandboxing for additional protection.
  • In line with Microsoft's guidance from 2016 [3], customers should consider disabling SMBv1 and other legacy protocols on all Windows systems [4] where this will not negatively impact the function of systems within the environment. If you are a Forcepoint customer please consult the following Knowledge Base Article to identify what course of action may be suitable for your product: https://support.forcepoint.com/KBArticle?id=000012832

As always, Forcepoint Security Labs will continue to monitor for attacks actively using any of the exploits mentioned above.

 

References & External Links

[1] https://technet.microsoft.com/en-us/library/security/4025685

[2] https://0patch.blogspot.co.uk/2017/03/0patching-immortal-cve-2017-7269.html

[3] https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/

[4] https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012

 

This article was originally published here.

About the Author

The Editors

The Softchoice editorial team consists of industry professionals with range of cloud and IT services experience. Together they provide editorial oversight and creative direction for all hub content. To contact the editors, email azure@softchoice.com.

More Content by The Editors
Previous Article
TrickBot spread by Necurs Botnet, Adds Nordic Countries to its Targets
TrickBot spread by Necurs Botnet, Adds Nordic Countries to its Targets

At around 09:00 BST yesterday, Forcepoint Security Labs™ observed a significant malicious email campaign fr...

Next Article
Law Firms, Meet Your New Regulator: Your Clients
Law Firms, Meet Your New Regulator: Your Clients

Beyond the financial industry, other industries have offered up data breaches as a sacrifice that has fuele...