[Solved] EternalBlue exploit for WannaCry 1CVE-2017-0144
Understanding CVE-2017-0144: EternalBlue Exploit and Its Role in the WannaCry Ransomware Attack
Introduction
CVE-2017-0144, widely known as EternalBlue, is a critical vulnerability in Microsoft’s Server Message Block (SMB) protocol. This exploit gained notoriety when it was used in the WannaCry ransomware attack, affecting hundreds of thousands of systems worldwide. This blog explains the EternalBlue vulnerability, its impact, the operating systems affected, and step-by-step guidance for mitigation, including a registry fix and PowerShell script.
What is EternalBlue?
EternalBlue is an exploit targeting a vulnerability in SMBv1 (SMB version 1.0), which is used for sharing files and printers over a network. Discovered by the NSA and later leaked by the Shadow Brokers group, EternalBlue enables remote code execution by exploiting improper handling of SMB requests.
Technical Details
The vulnerability (CVE-2017-0144) arises due to an integer overflow in the SMBv1 server component. When a specially crafted packet is sent, the overflow allows arbitrary code execution, granting attackers unauthorized access to the target system.
EternalBlue was pivotal in the WannaCry ransomware outbreak, which leveraged the exploit to propagate rapidly across networks, encrypting files and demanding ransom payments in Bitcoin.
Affected Operating Systems
The EternalBlue vulnerability affects the following Microsoft Windows operating systems:
Windows XP
Windows Vista
Windows 7
Windows 8
Windows 8.1
Windows 10 (prior to the patch)
Windows Server 2003
Windows Server 2008
Windows Server 2008 R2
Windows Server 2012
Windows Server 2012 R2
Note: Systems using SMBv1 and not patched after March 2017 are vulnerable.
How to Fix the Vulnerability
Step 1: Apply Microsoft Security Updates
Microsoft released security patches to address EternalBlue in March 2017 (MS17-010). Installing these updates is the most effective way to secure systems.
Visit the Microsoft Security Bulletin to find the relevant update for your system.
Use Windows Update or WSUS to deploy the patches across all affected devices.
Step 2: Disable SMBv1
Microsoft strongly recommends disabling SMBv1, as it is outdated and insecure. Disabling SMBv1 eliminates the attack vector exploited by EternalBlue.
Steps to Disable SMBv1 via Control Panel:
Open Control Panel > Programs > Programs and Features.
Click Turn Windows features on or off.
Scroll down to SMB 1.0/CIFS File Sharing Support and uncheck the box.
Click OK and restart your system.
Steps to Disable SMBv1 via PowerShell:
Run the following commands in an elevated PowerShell session:
# Disable SMBv1
Set-SmbServerConfiguration -EnableSMB1Protocol $false -Force
# Verify SMBv1 is disabled
Get-SmbServerConfiguration | Select-Object EnableSMB1Protocol
Step 3: Registry Fix for SMBv1
For administrators managing multiple systems, disabling SMBv1 via the Windows Registry can be automated.
Open the Registry Editor:
Press Win + R, type regedit, and press Enter.
Navigate to the following path:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
Add or modify the following registry value:
Name: SMB1
Type: REG_DWORD
Value: 0
Restart the system for the changes to take effect.
Step 4: Network Segmentation and Firewall Configuration
Block SMB-related ports (e.g., TCP 445) at the network perimeter to prevent unauthorized access.
Use firewalls to restrict SMB traffic within your internal network.
Step 5: Validate the Fix
Run the following PowerShell command to ensure SMBv1 is disabled:
Get-WindowsOptionalFeature -Online -FeatureName SMB1Protocol
The status should show as Disabled.
PowerShell Script to Automate Mitigation
Use this script to disable SMBv1 and ensure all settings are properly configured:
# PowerShell Script to Disable SMBv1 and Mitigate EternalBlue Vulnerability
# Check if running as Administrator
if (-not ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] “Administrator”)) {
Write-Host “Please run this script as Administrator.” -ForegroundColor Red
exit
}
# Disable SMBv1
try {
Write-Host “Disabling SMBv1…” -ForegroundColor Yellow
Set-SmbServerConfiguration -EnableSMB1Protocol $false -Force
# Disable SMBv1 Client
Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol -NoRestart
Write-Host “SMBv1 disabled successfully.” -ForegroundColor Green
} catch {
Write-Host “Error disabling SMBv1: $_” -ForegroundColor Red
}
# Block TCP Port 445 using Windows Firewall
try {
Write-Host “Blocking TCP Port 445…” -ForegroundColor Yellow
New-NetFirewallRule -DisplayName “Block SMB TCP 445” -Direction Inbound -Protocol TCP -LocalPort 445 -Action Block
Write-Host “TCP Port 445 blocked successfully.” -ForegroundColor Green
} catch {
Write-Host “Error blocking TCP Port 445: $_” -ForegroundColor Red
}
# Restart system to apply changes
Write-Host “Please restart your system to complete the mitigation process.” -ForegroundColor Cyan
Additional Best Practices
Patch Management:
Establish a robust patch management process to ensure timely application of security updates.
Enable Advanced Threat Protection:
Use tools like Microsoft Defender for Endpoint to detect and block exploitation attempts.
Conduct Security Audits:
Regularly review network and system configurations for vulnerabilities.
Educate Users:
Train employees on recognizing phishing attempts, which are often used to deliver ransomware payloads.