ETERNALBLUE: Windows SMBv1 Exploit (Patched)

Published: 2017-04-14
Last Updated: 2017-04-15 12:17:15 UTC
by Johannes Ullrich (Version: 1)
9 comment(s)

Microsoft released a blog post outlining which patches address which vulnerability exploited by various "Shadowbroker" exploits. According to the table released by Microsoft, "ETERNALBLUE" was fixed by MS17-010 released in March. Interestingly, MS17-010 listed all vulnerabilities as "not used in exploits". Microsofts acknowledgement page does not list a source for the vulnerability disclosure. 

We decided to keep our "Infocon" at Green in light fo the availability of a patch.

To protect yourself from this exploit, you can also disable SMBv1 (see this KB article by Microsoft about details), and make sure you are blocking port 445. 

A snort rule for ETERNALBLUE was released by Cisco as part of the "registered" rules set. Check for SID 41978.


Shadowbroker, as part of the set of exploits it collected and had offered for auction, today released a number of Windows-related exploits. One that looks in particular interesting as it promises an exploit via SMB for Windows hosts up to Windows 8 and Windows Server 2012, was published under the name "ETERNALBLUE". 

Right now, I haven't been able to make it fully work yet, but I was able to collect some packets to a Windows 7 system. The exploit makes by default three attempts to attack a system. An XML file accompanying the exploit allows the attacker to configure various parameters. 

In general, an SMB exploit *should* not be all that exciting these days, as blocking port 445 is standard best practice. I am attaching a link to a packet capture below to allow you to analyze it further. In the packet capture, the vulnerable hosts IP address is

After repeated attempts, the Windows 7 host crashed.



Johannes B. Ullrich, Ph.D., Dean of Research, SANS Technology Institute

9 comment(s)
ISC Stormcast For Friday, April 14th 2017


Diary Archives