edit-icon download-icon

[Vulnerability notice] Windows multiple SMB/RDP remote command execution vulnerabilities

Last Updated: Mar 19, 2018

The hacker organization Shadow Brokers issued a confidential document of the NSA formula on April 14, 2017, which contains multiple Windows remote exploit tools that can cover 70% of the world’s Windows servers. To guarantee your business security on Alibaba Cloud, follow up this issue.

See the following for more information about the vulnerability.


CVE identifier

None

Vulnerability name

Windows multiple SMB/RDP remote command execution vulnerabilities

Vulnerability rating

High

Vulnerability description

The hacker organization Shadow Brokers issued a confidential document of the NSA formula, which contains multiple Windows remote exploit tools that can cover 70% of the world’s Windows servers. These tools have the ability to leverage SMB and Remote Desktop Protocol (RDP) to initiate server intrusions.

Condition and method of exploitation

The released tools are used to run code remotely.

Affected scope

The affected Windows versions include but are not limited to the following:

Windows NT, Windows 2000, Windows XP, Windows 2003, Windows Vista, Windows 7, Windows 8,Windows 2008, Windows 2008 R2, and Windows Server 2012 SP0

affected versions

Vulnerability detection

Check whether Ports 137, 139, 445, and 3389 of your server are enabled externally. You can use the Telnet command to test Port 445 of the target address from an external computer, for example, telnet 114.114.114.114 445.

For more information, see Install the Telnet client.

How to fix or mitigate

Microsoft has released the announcement Protecting customers and evaluating risk. We strongly recommend that you install the latest patch for your ECS instances in use. Alibaba Cloud users can download and install the patches by means of Windows Update or manually. Alternatively, you can fix the vulnerability by one click in the ECS console.

  • Install the patches by means of Windows Update

    1. Choose Start > Control Panel > Windows Update.
    2. Click Check for Updates.
    3. Click Install Updates.
    4. After the installation is complete, restart the system to make the patch take effect.

Newly bought ECS instances

The latest patch has been installed for all the Windows images provided by Alibaba Cloud since April 22, 2017.

  • We recommend that you adjust the security group policies when purchasing an ECS instance to only enable necessary protocols and port access control permissions.

  • If you need access rights to other ports from the Internet, log on to the ECS console, go to the Security Group page, and click Configure Rules next to the target instance. On the Security Group Rules page, add Allow rules for those ports. For more information, see Security group configuration guide.

Verify the fix

After the access control policy of the security group is configured, you can use the Telnet client to perform testing and verification. If no result is returned, your server is immune from Internet attacks.

The following result shows that the port is disabled and cannot be exploited by hackers.

re

Background

  • What is SMB

    Server Message Block (SMB) is a protocol developed by Microsoft and Intel in 1987. It is mainly used for Microsoft network communication. SMB runs at the session layer, presentation layer, and a small portion of the application layer. SMB uses the NetBIOS API. Based on TCP/NetBIOS, SMB generally uses Ports 139 and 445.

  • What is RDP

    Remote Desktop Protocol (RDP) is provided by Microsoft since Windows 2000 Server. It generally uses Port 3389 as the service port. RDP allows you to operate one computer that runs RDP server software in real time from another computer over a network connection, such as installing software and running programs.

    However, externally exposed RDP ports are prone to security risks. For example, those ports allow an attacker to initiate brute-force attacks on server accounts. Successful attacks allow the attacker to take control of the server. Therefore, we recommend that you reinforce the security of your Windows server.

Reference

[1]. https://zhuanlan.zhihu.com/p/26375989?utm_medium=social&utm_source=wechat_timeline&from=timeline&isappinstalled=0
[2]. http://mp.weixin.qq.com/s/yPExtMfVbpNo-5S2Ymvz-w
[3]. https://blogs.technet.microsoft.com/msrc/2017/04/14/protecting-customers-and-evaluating-risk/?from=timeline&isappinstalled=0

Thank you! We've received your feedback.