Say Goodbye to SMBv1 in Windows Fall Creators Update

The SMBv1 file-sharing protocol abused by the NSA’s EternalBlue exploit to spread WannaCry ransomware is being disabled in the upcoming Windows Fall Creators Update, or Redstone 3.

The crusty SMBv1 file-sharing protocol, abused by a NSA exploit last month that spread WannaCry, will be removed from Windows 10 starting with the upcoming Redstone 3 update.

“We can confirm that SMBv1 is being removed for Redstone 3,” a Microsoft representative told Threatpost.

Redstone 3, a code-name for the Fall Creators Update, will begin the phasing out of SMBv1, a plan that reportedly has been in the works for years and is not a reaction to the EternalBlue exploit, nor WannaCry. It is due in September.

SMBv1, short for the Server Message Block protocol, provides shared access to Windows file and print services on a local network. Attackers believed to have ties to North Korea used the EternalBlue exploit, leaked in April by the ShadowBrokers, to spread the ransomware worldwide on May 12. Hospitals in the U.K., giant telecommunications providers across Europe, and many businesses in Russia and across Asia fell victim to WannaCry, which eventually infected unpatched Windows servers running SMBv1 in more than 150 countries.

Microsoft had patched the SMBv1 vulnerability in question in March in MS17-010, one month before the ShadowBrokers’ leak, and urged admins worldwide to install the patch immediately. The WannaCry outbreak, however, demonstrated that many organizations did not heed those warnings; the ransomware, generally derided for its shoddy coding, still managed to infect more than 200,000 servers.

The weaponized version of EternalBlue released by the ShadowBrokers is effective against only Windows 7 and Windows XP machines, but researchers at RiskSense were able to build a Windows 10 port that bypasses some of the mitigations in the Current Branch for Business version of the operating system. While a report on RiskSense’s Windows 10 version of the attack is available, researchers won’t release new offsets used to weaponize their attack.

Microsoft, meanwhile, continues to plead with users running legacy versions of Windows to upgrade to Windows 10. The current version of the operating system includes a number of mitigations to deny EternalBlue and other weapons-grade Windows attacks leaked in April. Researchers echo those pleas as well, praising Windows 10’s mitigations such as kernel ASLR and DEP and virtualization-based security in Device Guard.

Microsoft this week released an analysis of EternalBlue and EternalRomance, another SMB remote code execution attack and describe how each of the above mitigations, in addition to kernel Control Flow Guard, break the exploits available in the wild.

“Through VBS’s usage of CPU hypervisor functionality, Device Guard-enabled systems can verify and enforce integrity of code that’s mapped in the kernel address space,” wrote Viktor Brange of the Windows Offensive Security Research Team. “kCFG prevents many exploitation techniques that rely on corrupting function pointers to achieve code execution.”

While EternalBlue and its DoublePulsar backdoor have been studied on many fronts, EternalRomance is another SMBv1 attack that exploits a separate vulnerability, CVE-2017-0145, to gain remote code execution capabilities.

“This exploit was written to remotely install and launch an SMB backdoor. At the core of this exploit is a type confusion vulnerability leading to an attacker offset controlled arbitrary heap write,” Brange wrote. “As with almost any heap corruption exploit, the attacker must know or control the layout of the heap to consistently succeed. With SMB, most objects are allocated in the non-paged pool.”

In its analysis, Microsoft explains how an attacker could learn a reliable heap layout, build primitives from corruption of the heap, and how all this enables installation of the in-memory backdoor.

In addition to patching, Microsoft warns customers that exposing port 445 to the internet are making a massive mistake, and that SMB should be run inside the firewall.

“However, if an attacker has access to a vulnerable endpoint running SMB, the ability to run arbitrary code in kernel context from a remote location is a serious compromise,” Microsoft said.

Suggested articles