Ransomware: Server Message Block Potential Exploit
VUIT Security Advisory: Renewed Potential Exploit of Server Message Block (SMB) on Windows systems
Vanderbilt IT would like to bring the following information to the technical community’s attention, especially those who use any version of Microsoft Windows (Vista SP2 and up) and are running Server Message Block (SMB) version 1.
A remote code execution vulnerability called Eternal Blue was identified in the following versions of Microsoft Windows:
- Windows Vista
- Windows Server 2008
- Windows 7
- Windows Server 2008 R2
- Windows 8.1
- Windows Server 2012
- Windows Server 2012 R2
- Windows RT 8.1
- Windows 10
- Windows Server 2016
Eternal Blue has been identified as critical because it can be exploited remotely and can potentially allow an attacker to take control of the affected machine. In turn, this grants an attacker access to other systems within the network. This vulnerability is linked to a new variant of ransomware called “WannaCry,” which is very active in Europe and gaining traction in the U.S.
Microsoft has released a security update that addresses the vulnerabilities by correcting how SMBv1 handles specifically crafted requests. To run this update, visit https://technet.microsoft.com/en-us/library/security/ms17-010.aspx.
Security Operations is requiring that all supported versions of Microsoft Windows be patched as soon as possible. Versions of Microsoft Windows prior to Vista SP2, including but not limited to Windows XP and Server 2003, are considered unsupported and will not be patched. It is highlyadvisable that machines with unsupported operating systems be removed and/or upgraded to a newer version of Windows.
If you feel that your system has been compromised, please call the help desk at (615) 343-9999 or submit a high-priority Pegasus ticket.
Sources and References: