Related Notice
[High Risk Vulnerability Alert] SMB/RDP Remote Command Execution Vulnerability in Windows Operating System
Publish Date 04/15/2017
The foreign hacker organization “Shadow Brokers” issued a confidential document of the NSA formula on April 14, 2017, which contains multiple Windows remote exploit tools that can cover 70% of the world's Windows servers. In order to ensure your business security on the Alibaba Cloud, please pay attention to the details of the vulnerabilities as follows:
1. Scope of Vulnerability:
The affected versions of Windows are known to include but are not limited to:
Windows NT, Windows 2000, Windows XP, Windows 2003, Windows Vista, Windows 7, Windows 8, Windows 2008, Windows 2008 R2, Windows Server 2012 SP0;
2. Vulnerability Detection:
The tool exposed this time leverages SMB services and RDP services to invade remotely. Users need to check if the ports 137, 139, 445, and 3389 are enabled. The method of detection is:
To telnet the destination address 445 on a computer external to your network, for example, telnet [IP] 445
3. Mitigation Measures
(1) Microsoft has issued a circular, strongly recommending that you update the latest patch. Please refer to the link below for details.
https://blogs.technet.microsoft.com/msrc/2017/04/14/protecting-customers-and-evaluating-risk/
(2) At present, the Alibaba Cloud console also issued a one-key circumvention tool for this vulnerability. If you do not use 137, 139, 445 ports in your business, you can log on to the ECS Console - Security Group Management - Rule Configuration to use the tool to circumvent this risk.
(3) Restrict 3389 remote logon Source IP addresses using the security group's public network entry policy.
We will continue to follow the progress of this event, and keep you updated. You can get more details by following this link: https://www.alibabacloud.com/forum/read-888. Thank you for your support on Alibaba Cloud!
1. Scope of Vulnerability:
The affected versions of Windows are known to include but are not limited to:
Windows NT, Windows 2000, Windows XP, Windows 2003, Windows Vista, Windows 7, Windows 8, Windows 2008, Windows 2008 R2, Windows Server 2012 SP0;
2. Vulnerability Detection:
The tool exposed this time leverages SMB services and RDP services to invade remotely. Users need to check if the ports 137, 139, 445, and 3389 are enabled. The method of detection is:
To telnet the destination address 445 on a computer external to your network, for example, telnet [IP] 445
3. Mitigation Measures
(1) Microsoft has issued a circular, strongly recommending that you update the latest patch. Please refer to the link below for details.
https://blogs.technet.microsoft.com/msrc/2017/04/14/protecting-customers-and-evaluating-risk/
(2) At present, the Alibaba Cloud console also issued a one-key circumvention tool for this vulnerability. If you do not use 137, 139, 445 ports in your business, you can log on to the ECS Console - Security Group Management - Rule Configuration to use the tool to circumvent this risk.
(3) Restrict 3389 remote logon Source IP addresses using the security group's public network entry policy.
We will continue to follow the progress of this event, and keep you updated. You can get more details by following this link: https://www.alibabacloud.com/forum/read-888. Thank you for your support on Alibaba Cloud!