[Solved] EternalBlue exploit for WannaCry 1CVE-2017-0144

EternalBlue exploit for WannaCry CVE-2017-0144​.generate image related in 16:9 ratio. dont write text on it

Understanding CVE-2017-0144: EternalBlue Exploit and Its Role in the WannaCry Ransomware Attack

 

Introduction

CVE-2017-0144, widely known as EternalBlue, is a critical vulnerability in Microsoft’s Server Message Block (SMB) protocol. This exploit gained notoriety when it was used in the WannaCry ransomware attack, affecting hundreds of thousands of systems worldwide. This blog explains the EternalBlue vulnerability, its impact, the operating systems affected, and step-by-step guidance for mitigation, including a registry fix and PowerShell script.

What is EternalBlue?

EternalBlue is an exploit targeting a vulnerability in SMBv1 (SMB version 1.0), which is used for sharing files and printers over a network. Discovered by the NSA and later leaked by the Shadow Brokers group, EternalBlue enables remote code execution by exploiting improper handling of SMB requests.

 

Technical Details

The vulnerability (CVE-2017-0144) arises due to an integer overflow in the SMBv1 server component. When a specially crafted packet is sent, the overflow allows arbitrary code execution, granting attackers unauthorized access to the target system.

EternalBlue was pivotal in the WannaCry ransomware outbreak, which leveraged the exploit to propagate rapidly across networks, encrypting files and demanding ransom payments in Bitcoin.

 

Affected Operating Systems

The EternalBlue vulnerability affects the following Microsoft Windows operating systems:

Windows XP

Windows Vista

Windows 7

Windows 8

Windows 8.1

Windows 10 (prior to the patch)

Windows Server 2003

Windows Server 2008

Windows Server 2008 R2

Windows Server 2012

Windows Server 2012 R2

 

Note: Systems using SMBv1 and not patched after March 2017 are vulnerable.

 

How to Fix the Vulnerability

Step 1: Apply Microsoft Security Updates

Microsoft released security patches to address EternalBlue in March 2017 (MS17-010). Installing these updates is the most effective way to secure systems.

Visit the Microsoft Security Bulletin to find the relevant update for your system.

Use Windows Update or WSUS to deploy the patches across all affected devices.

 

Step 2: Disable SMBv1

Microsoft strongly recommends disabling SMBv1, as it is outdated and insecure. Disabling SMBv1 eliminates the attack vector exploited by EternalBlue.

 

Steps to Disable SMBv1 via Control Panel:

Open Control Panel > Programs > Programs and Features.

Click Turn Windows features on or off.

Scroll down to SMB 1.0/CIFS File Sharing Support and uncheck the box.

Click OK and restart your system.

Steps to Disable SMBv1 via PowerShell:

Run the following commands in an elevated PowerShell session:

# Disable SMBv1
Set-SmbServerConfiguration -EnableSMB1Protocol $false -Force

# Verify SMBv1 is disabled
Get-SmbServerConfiguration | Select-Object EnableSMB1Protocol

 

Step 3: Registry Fix for SMBv1

For administrators managing multiple systems, disabling SMBv1 via the Windows Registry can be automated.

Open the Registry Editor:

Press Win + R, type regedit, and press Enter.

Navigate to the following path:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters

Add or modify the following registry value:

Name: SMB1

Type: REG_DWORD

Value: 0

Restart the system for the changes to take effect.

 

Step 4: Network Segmentation and Firewall Configuration

Block SMB-related ports (e.g., TCP 445) at the network perimeter to prevent unauthorized access.

Use firewalls to restrict SMB traffic within your internal network.

 

Step 5: Validate the Fix

Run the following PowerShell command to ensure SMBv1 is disabled:

Get-WindowsOptionalFeature -Online -FeatureName SMB1Protocol

The status should show as Disabled.

 

PowerShell Script to Automate Mitigation

Use this script to disable SMBv1 and ensure all settings are properly configured:

 

# PowerShell Script to Disable SMBv1 and Mitigate EternalBlue Vulnerability

# Check if running as Administrator
if (-not ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] “Administrator”)) {
Write-Host “Please run this script as Administrator.” -ForegroundColor Red
exit
}

# Disable SMBv1
try {
Write-Host “Disabling SMBv1…” -ForegroundColor Yellow
Set-SmbServerConfiguration -EnableSMB1Protocol $false -Force

# Disable SMBv1 Client
Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol -NoRestart

Write-Host “SMBv1 disabled successfully.” -ForegroundColor Green
} catch {
Write-Host “Error disabling SMBv1: $_” -ForegroundColor Red
}

# Block TCP Port 445 using Windows Firewall
try {
Write-Host “Blocking TCP Port 445…” -ForegroundColor Yellow
New-NetFirewallRule -DisplayName “Block SMB TCP 445” -Direction Inbound -Protocol TCP -LocalPort 445 -Action Block
Write-Host “TCP Port 445 blocked successfully.” -ForegroundColor Green
} catch {
Write-Host “Error blocking TCP Port 445: $_” -ForegroundColor Red
}

# Restart system to apply changes
Write-Host “Please restart your system to complete the mitigation process.” -ForegroundColor Cyan

 

Additional Best Practices

Patch Management:

Establish a robust patch management process to ensure timely application of security updates.

 

Enable Advanced Threat Protection:

Use tools like Microsoft Defender for Endpoint to detect and block exploitation attempts.

 

Conduct Security Audits:

Regularly review network and system configurations for vulnerabilities.

 

Educate Users:

Train employees on recognizing phishing attempts, which are often used to deliver ransomware payloads.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top