- EternalDarkness or SMBGhost is the latest vulnerability affecting the Microsoft SMB protocol which was first reported in March 2020
- This is high-severity threat because SMB vulnerabilities very-often are quickly adopted by “wormified” malicious attacks. As-of publishing of this post, PoCs exist for DoS and local privilege escalation
- Bitdefender Hypervisor Introspection stops the local privilege escalation 0-day attack without any additional configurations or updates. See the Demo below.
A recently reported Windows SMB v3 vulnerability could lead to widespread malware proliferation. Microsoft published a Security Advisory on March 10th, 2020, acknowledging the presence of a new remote code execution vulnerability in the SMBv3 protocol affects both servers and clients. The advisory was initially released without any mitigations available, while a patch was released within a few days. The vulnerability is known to affect Window 10 and Windows Server 2019 Core versions 1903 and 1909 across x86 and ARM microarchitectures.
This type of vulnerability sends shivers down the infosec practitioner's spine. It kicks-off the race to patching, testing of security controls, and implementation of mitigating measures before mass-exploitation ensues. Hopefully by now, everyone has patched all vulnerable systems.
The SMB Can of Worms
It usually doesn’t take long for attackers to “wormify” exploitable remote code execution vulnerabilities in services commonly exposed to the internal network or the outside world. An example includes SMB – the Microsoft Server Message Block protocol.
Looking back, we’ve seen just how damaging this level of attack automation can be, specifically around SMB vulnerabilities. The following is a highlight-reel, of sorts.
Back in 2008, this vulnerability gave birth to the Conficker/Downadup attacks which wreaked havoc in computer networks worldwide, and was quite helpful for attackers looking to deliver various malicious payloads. Many sysadmins and infosec engineers remember the November 2008 nights spent at the office, desperately trying to contain the spread of these attacks.
Even 4 years after initial discovery, the Metasploit module for this vulnerability still ranked number 2 in their top 10 most used modules, due to its simplicity and reliability.
The infamous EternalBlue exploit was made available to the wider public as part of a leak by The Shadow Brokers, a cyber-criminal group. EternalBlue was allegedly developed by the NSA's Equation Group.
The EternalBlue exposure was significant as the vulnerability affected all Windows operating systems at the time. Although the exploit code was made available one month after Microsoft provided patches, the first wormified attack, WannaCry, spread like wildfire. This delivered painful business damage to organizations worldwide.
NotPetya was the second worm attack that leveraged EternalBlue. The attack was released four months after the patch availability. While it initially targeted Ukraine, the attack also affected organizations in western Europe.
In one of the first detailed write-ups following the initial Microsoft announcement, security researchers pointed towards a very straight-forward bug.
The vulnerability is similar to previous SMB vulnerabilities, but is more difficult to successfully exploit due to various OS security improvements like KASLR (Kernel Address Space Layout Randomization).
Another important difference is the vulnerability affects both SMB clients and SMB servers. This opens the door to local attacks.
Bitdefender Hypervisor Introspection EternalDarkness Prevention
This week, a group of security researchers released the first functional exploit POC – a local privilege escalation exploit that is triggering the SMB server bug in the local user session. More details available on their GitHub repo.
As with EternalBlue, BlueKeep, and other past high-profile exploits, Bitdefender researchers have validated that Hypervisor Introspection (HVI) stops EternalDarkness.
We first used the above mentioned POC code and executed the privilege escalation attack on an unprotected, unpatched Windows 10 version 1903. The exploit successfully exploited the bug in the SMB driver. It achieved code execution capabilities and used a code-injection technique to provide an elevated privilege Command Prompt shell.
We repeated the exercise with Hypervisor Introspection (HVI) enabled. HVI successfully prevented the attack by preventing the code injection technique which is required for the attack to succeed. No updates to HVI were required, since detecting code-injection is considered a baseline attack technique. The conclusion is that HVI, once again, provides true 0-day prevention.
Check out the following recorded demo of HVI in action: