The hacker organization Shadow Brokers issued a confidential document of the NSA formula on April 14, 2017, which contains multiple Windows remote exploit tools that can cover 70% of the world’s Windows servers. To guarantee your business security on Alibaba Cloud, follow up this issue.
See the following for more information about the vulnerability.
Windows multiple SMB/RDP remote command execution vulnerabilities
The hacker organization Shadow Brokers issued a confidential document of the NSA formula, which contains multiple Windows remote exploit tools that can cover 70% of the world’s Windows servers. These tools have the ability to leverage SMB and Remote Desktop Protocol (RDP) to initiate server intrusions.
Condition and method of exploitation
The released tools are used to run code remotely.
The affected Windows versions include but are not limited to the following:
Windows NT, Windows 2000, Windows XP, Windows 2003, Windows Vista, Windows 7, Windows 8,Windows 2008, Windows 2008 R2, and Windows Server 2012 SP0
Check whether Ports 137, 139, 445, and 3389 of your server are enabled externally. You can use the Telnet command to test Port 445 of the target address from an external computer, for example,
telnet 126.96.36.199 445.
For more information, see Install the Telnet client.
How to fix or mitigate
Microsoft has released the announcement Protecting customers and evaluating risk. We strongly recommend that you install the latest patch for your ECS instances in use. Alibaba Cloud users can download and install the patches by means of Windows Update or manually. Alternatively, you can fix the vulnerability by one click in the ECS console.
Install the patches by means of Windows Update
- Choose Start > Control Panel > Windows Update.
- Click Check for Updates.
- Click Install Updates.
- After the installation is complete, restart the system to make the patch take effect.
Download the patches manually
Open the patch download URL, download the patch that is compatible with your operating system, and double-click the patch to install it.
Code name Solution EternalBlue Addressed by MS17-010 EmeraldThread Addressed by MS10-061 EternalChampion See CVE-2017-0146 and CVE-2017-0147 ErraticGopher Addressed before the release of Windows Vista EsikmoRoll Addressed by MS14-068 EternalRomance Addressed by MS17-010 EducatedScholar Addressed by MS09-050 EternalSynergy Addressed by MS17-010 EclipsedWing Addressed by MS08-067
Use the following table to download the relevant patches:
Note: We recommend that you perform testing before installing the patch on your business server. Restart the server after the patch is installed.
Fix the vulnerability by one click in the ECS console
Configure a network access control policy in the inbound direction of the Internet. If your business does not use Ports 137, 139, and 445, log on to the ECS console, go to the Security Group page, and click Configure Rules next to the target instance. On the Security Group Rules page, click Fix Windows High-risk Vulnerability. For Windows systems that are not affected by these vulnerabilities, this button does not exist.
Note: We strongly recommend that you use the security group’s access control policy in the inbound direction of the Internet to restrict the source IP address of remote logon over Port 3389, thus preventing RDP-based port intrusions and reducing security risks. We also recommend that you configure the same access control policy in the inbound direction of the intranet according to your business need.
You must check the usage of Ports 137, 139, and 445, and configure access control according to your business need.
Newly bought ECS instances
The latest patch has been installed for all the Windows images provided by Alibaba Cloud since April 22, 2017.
We recommend that you adjust the security group policies when purchasing an ECS instance to only enable necessary protocols and port access control permissions.
If you need access rights to other ports from the Internet, log on to the ECS console, go to the Security Group page, and click Configure Rules next to the target instance. On the Security Group Rules page, add Allow rules for those ports. For more information, see Security group configuration guide.
Verify the fix
After the access control policy of the security group is configured, you can use the Telnet client to perform testing and verification. If no result is returned, your server is immune from Internet attacks.
The following result shows that the port is disabled and cannot be exploited by hackers.
What is SMB
Server Message Block (SMB) is a protocol developed by Microsoft and Intel in 1987. It is mainly used for Microsoft network communication. SMB runs at the session layer, presentation layer, and a small portion of the application layer. SMB uses the NetBIOS API. Based on TCP/NetBIOS, SMB generally uses Ports 139 and 445.
What is RDP
Remote Desktop Protocol (RDP) is provided by Microsoft since Windows 2000 Server. It generally uses Port 3389 as the service port. RDP allows you to operate one computer that runs RDP server software in real time from another computer over a network connection, such as installing software and running programs.
However, externally exposed RDP ports are prone to security risks. For example, those ports allow an attacker to initiate brute-force attacks on server accounts. Successful attacks allow the attacker to take control of the server. Therefore, we recommend that you reinforce the security of your Windows server.