[High Risk Vulnerability Alert] SMB\RDP Remote Command Execution Vulnerability in Windows
Created#More Posted time:Apr 15, 2017 13:20 PM
The foreign hacker organization “Shadow Brokers” issued a confidential document of the NSA formula on April 14, 2017, which contains multiple Windows remote exploit tools that can cover 70% of the world's Windows servers, in order to ensure your business security on the Alibaba Cloud, please pay attention to the details of the vulnerabilities as follows:
Multiple SMB\RDP Remote Command Execution Vulnerability in Windows official rating: High-risk. Vulnerabilities Description: The foreign hacker organization “Shadow Brokers” issued confidential documents of the NSA formula, including multiple Windows remote exploit tools, which can cover 70% of the world's Windows servers with SMB and RDP services to successfully invade the server.
Conditions and Ways of Exploiting Vulnerabilities:
You can successfully exploit this vulnerability by using the published tool remote code.
Scope of Vulnerability:
The affected versions of Windows are known to include but are not limited to:
Windows NT, Windows 2000, Windows XP, Windows 2003, Windows Vista, Windows 7, Windows 8, Windows 2008, Windows 2008 R2, Windows Server 2012 SP0;
Determine if the server opened 137, 139, 445, 3389 ports by using the method below:
Telnet Destination Address 445 on the extranet computer, for example, telnet 18.104.22.168 445
Telnet command installation:
Open "Start"---"Run", or direct keyboard windows key +R, enter appwiz.cpl (open Add Remove Program Admin window)
The (Program and feature) menu appears, click "Turn on or off Windows features, and then appear" on the "Open or shut down Windows features" list, find "Telnet client" to the front hook, and then click OK.
Vulnerability Repair Recommendations (or Mitigation Measures):
Shut down 137, 139, 445 ports using security group access policy;
Restrict 3389 remote login source IP address using security group access policy
1st Reply#Posted time:May 16, 2017 23:31 PM
Excellent work! Only after the event, people would appreciate the precautions.
2nd Reply#Posted time:Jan 21, 2018 22:17 PM
3rd Reply#Posted time:Jan 21, 2018 22:18 PM
4Floor#Posted time:Oct 30, 2020 6:54 AM
Customers running Windows 8 and Windows 10 are not affected by this vulnerability, and it is no coincidence that later versions of Windows are unaffected. Microsoft invests heavily in strengthening the security of its products, e.g. Office 365 plans security often through major architectural improvements that are not possible to backport to earlier versions of Windows.
There is partial mitigation on affected systems that have Network Level Authentication (NLA) enabled. The affected systems are mitigated against ‘wormable’ malware or advanced malware threats that could exploit the vulnerability, as NLA requires authentication before the vulnerability can be triggered. However, affected systems are still vulnerable to Remote Code Execution (RCE) exploitation if the attacker has valid credentials that can be used to successfully authenticate.
It is for these reasons that we strongly advise that all affected systems – irrespective of whether NLA is enabled or not – should be updated as soon as possible.