[CA6443] Vulnerability CVE-2017-0144 in SMB exploited by WannaCryptor ransomware to spread over LAN

ESET Customer Advisory 2017-0010
May 15, 2017
Severity: Critical

On Friday May 12, 2017, massive attacks of Win32/WannaCryptor ransomware were reported worldwide, impacting various institutions, including hospitals, causing disruption of provided services. Of special note, this attack was the first massively spread malware to exploit the CVE-2017-0144 vulnerability in SMB to spread over LAN. In particular, if a user opened a malicious file that usually came as an attachment to an email, the malware started to propagate to unpatched computers in LAN and encrypt files, appending the WNCRY extension.

Details

The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka "Windows SMB Remote Code Execution Vulnerability."

On March 14 Microsoft released a hotfix KB4012212 which is included in a monthly rollup update KB4012215. Vulnerability details were disclosed on March 16, 2017.

For more information about WannaCryptor ransomware, please read:

• www.welivesecurity.com/2017/05/13/wanna-cryptor-ransomware-outbreak/
• support.eset.com/alert6442/

Solution

We strongly recommend installing the above mentioned hotfix as soon as possible, as further attacks exploiting this vulnerability may come soon.

The hotfix can be downloaded from https://technet.microsoft.com/en-us/library/security/MS17-010.

For download links for older and otherwise unsupported operating systems, such as Windows XP SP3, Windows Server 2003 and Windows 8, refer to https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/.

ESET security solutions with up-to-date version of Detection engine are able to detect and stop this malware. On vulnerable systems, ESET Endpoint Security version 6 and ESET Smart Security version 9 and later, as well as ESET Internet Security and ESET Smart Security Premium version 10 protect the system from remote exploitation of the vulnerability at the network level, using the Network protection module.

Because ESET NOD32 Antivirus and ESET Endpoint Antivirus do not contain the firewall and ESET Endpoint Security version 5 does not contain the Network protection module, these cannot provide protection at the network level. 

Feedback & Support

If you have feedback or questions about this issue, please contact us using the ESET Security Forum, or via your local ESET Customer Care channels.

Version log

Version 1.0 (May 15, 2017): Initial version of this document