Microsoft patch legacy systems against further Shadow Brokers exploits

Microsoft Security Advisory 4025685 [1] was released on Tuesday 13 June 2017 and quickly gathered a large amount of attention for fixing a significant number of SMB exploits in supported versions of Windows and for Microsoft's decision, once again, to provide patches for now-unsupported versions of their operating systems.

While Microsoft rate the SMB vulnerabilities as Important rather than Critical, it should be borne in mind that vulnerabilities within network services such as these are inherently 'wormable' as demonstrated by WannaCry's rapid spread via the exploitation of an SMB vulnerability just last month (see our previous blog for a breakdown of how this propagation worked). This type of propagation method is particularly effective once malware is present within organisations, as systems such as firewalls and intrusion prevention systems are typically deployed on the boundary and are rarely used to monitor and block traffic between internal devices.

Older Versions & The Shadow Brokers Exploits

As noted above, Microsoft have repeated last months unusual decision to provide a patch for versions of their operating systems no longer in support including Windows XP, Windows Server 2003, and Windows Vista. Again, this decision is likely in part down to the requirement to patch older systems such as these against the MS17-010 SMB vulnerability (EternalBlue) during last month's WannaCry outbreak.

However, also patched on these older systems are the three remaining exploits previously released by the Shadow Brokers: EnglishmanDentist (CVE-2017-8487), EsteemAudit (CVE-2017-0176), and ExplodingCan (CVE-2017-7269). Microsoft had previously left these vulnerabilities un-patched as they were found not to affect any currently support versions of Windows.

Comment: The reason for patching these vulnerabilities and further rolling a number of other patches up for older platforms is unclear and represents an historically unusual decision, potentially suggesting that Microsoft have reason to believe that malicious actors are planning a campaign using one of the three leaked vulnerabilities listed above. While critical systems in major organisations are unlikely to be running on older versions of Windows, compromised systems are frequently used as staging points and relays in larger scale attacks.

The ExplodingCan exploit, for example, allows remote code execution on servers running IIS6.0 (typically Windows Server 2003 systems) with WebDAV enabled. Research conducted in March 2017 [2] suggested that approximately 60,000 devices globally are likely vulnerable to this exploit. With exploit code for this particular vulnerability having been published around the same time, this vulnerability presents a significant attack surface, especially for an actor seeking to build infrastructure for attacks against more valuable targets.

Conclusion

While there is no currently active attack on the scale of WannaCry, recommendations are in line with the advice given during the earlier outbreak:

• Ensure that these and any other security updates are installed in a timely manner - it should be borne in mind that a patch for the vulnerability used by WannaCry had been available for nearly eight weeks at the time of the outbreak. Note that older systems for which patches have been provided but which are outside of Microsoft's official support period will not automatically update and require manual installation of the patches.
• Ensure that you have email and web security that can block malicious emails, block intermediate download stages with Real Time Security Signatures (RTSS), and provide URL sandboxing for additional protection.
• In line with Microsoft's guidance from 2016 [3], customers should consider disabling SMBv1 and other legacy protocols on all Windows systems [4] where this will not negatively impact the function of systems within the environment. If you are a Forcepoint customer please consult the following Knowledge Base Article to identify what course of action may be suitable for your product: https://support.forcepoint.com/KBArticle?id=000012832

As always, Forcepoint Security Labs will continue to monitor for attacks actively using any of the exploits mentioned above.

References & External Links

[1] https://technet.microsoft.com/en-us/library/security/4025685

[2] https://0patch.blogspot.co.uk/2017/03/0patching-immortal-cve-2017-7269.html

[3] https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/

[4] https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012