CVE-2017-0144

Overview

CVE-2017-0144 (EternalBlue) is one of the most infamous zero-day vulnerabilities in history, affecting the Windows Server Message Block (SMB) protocol. It was leaked by the Shadow Brokers in 2017 and used in the devastating WannaCry and NotPetya ransomware attacks.

The exploit was reportedly stolen from the NSA and allowed remote code execution on vulnerable systems.

Technical Details

• Vulnerability Type: Remote Code Execution (RCE)
• Affected Component: Windows SMBv1 Protocol
• Attack Vector: Remote (via network)
• Impact: Allows an attacker to execute arbitrary code with SYSTEM privileges
• Exploitation: Used in WannaCry, NotPetya, and other global cyberattacks
• Patch Date: March 2017 (MS17-010)

Exploitation

EternalBlue was used in the WannaCry ransomware attack in May 2017, which infected hundreds of thousands of computers worldwide, disrupting hospitals, businesses, and government agencies. The exploit was also used in the NotPetya attack, which caused billions in damages.

The vulnerability allowed attackers to send specially crafted packets to a target SMBv1 server, enabling remote code execution with the highest privileges.

Affected Systems

• Windows Vista
• Windows 7
• Windows 8.1
• Windows 10
• Windows Server 2008
• Windows Server 2012
• Windows Server 2016

Microsoft released patches for all supported systems, and even issued an emergency patch for unsupported versions like Windows XP due to the severity of the attacks.

Patch Information

Microsoft released a security update (MS17-010) in March 2017 to address this vulnerability. Users and administrators were urged to apply the patch immediately.

For systems that could not be patched, Microsoft recommended disabling SMBv1 and blocking TCP port 445 at the network perimeter.

Mitigation

• Apply the MS17-010 security update.
• Disable SMBv1 on all systems.
• Block TCP port 445 at the network perimeter.
• Use modern endpoint protection solutions to detect and block exploit attempts.

References