Installing the MS17-010 patch for Windows is the only way to eliminate the vulnerabilities being actively exploited.If a system cannot be patched, then the next best alternative is to block or remove SMB services. It is no longer sufficient to simply disable only specific versions of SMB on Windows systems, as this has proven to be ineffective.
If a system cannot be patched, and SMB services cannot be blocked or removed, please contact us at security@ubc.ca for a risk assessment and threat mitigation recommendation.
A number of large organizations, such as Britain’s National Health Service—have been affected by a massive, global ransomware attack called WannaCry. This ransomware is spread by an unpatched vulnerability, identified by Microsoft as MS17-010, and demands a ransom of $300.
Emails with this ransomware may have subject lines such as:
- Copy_[with Random Numbers],
- Document_[with Random Numbers], Scan_[with Random Numbers],
- File_[with Random Numbers]
- PDF_[with Random Numbers]
This is not an exhaustive list. Please be extra cautious and do not open any emails that seem suspicious or unfamiliar no matter what the subject line is.
Severity
Critical
CVE
- CVE-2017-0007
- CVE-2017-0016
- CVE-2017-0039
- CVE-2017-0057
- CVE-2017-0100
- CVE-2017-0104
- CVE-2017-0143
- CVE-2017-0144
- CVE-2017-0145
- CVE-2017-0146
- CVE-2017-0147
- CVE-2017-0148
Impacted platforms
- All versions of Windows 2000 and prior are vulnerable and no patch is available
- Windows XP with Service Pack 3 x86 KB4012598
- Windows XP with Service Pack 2 x64 KB4012598
- Windows XP Embedded with Service Pack 3 x86 KB4012598
- Windows Vista with Service Pack 2 x86 KB4012598
- Windows Vista with Service Pack 2 x64 KB4012598
- Windows 7 with Service Pack 1 x86 KB4012212 or KB4012215
- Windows 7 with Service Pack 1 x64 KB4012212 or KB4012215
- Windows 8 x86 KB4012598
- Windows 8 x64 KB4012598
- Windows 8.1 x86 KB4012213 or KB4012216
- Windows 8.1 x64 KB4012213 or KB4012216
- Windows 10 x86 KB4012606
- Windows 10 x64 KB4012606
- Windows 10 version 1511 x86 KB4013198
- Windows 10 version 1511 x64 KB4013198
- Windows 10 version 1607 x86 KB4013429
- Windows 10 version 1607 x64 KB4013429
- Windows Server 2003 with Service Pack 2 x86 KB4012598
- Windows Server 2003 with Service Pack 2 x64 KB401258
- Windows Server 2008 with Service Pack 2 x86 KB4012598
- Windows Server 2008 with Service Pack 2 x64 KB401258
- Windows Server 2008 R2 with Service Pack 1 KB4012212 or KB4012215
- Windows Server 2012 KB4012214 or KB4012217
- Windows Server 2012 R2 KB4012213 or KB4012216
- Windows Server 2016 KB4013429
Recommended actions
Please ensure your servers have the latest patches:
- https://technet.microsoft.com/en-us/library/security/ms17-012.aspx
- https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
- https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
If patches are not available for a system and it cannot be protected via alternative controls, such as anti-malware, then it is recommended that SMB ports be blocked for the system until such time as it can be patched or additional controls applied to protect against infection.
Patching Guidance
- Desktops and Laptops must be patched and running current anti-malware that provides protection
- Servers that are vendor supported, and not end of life, must be patched
- Servers that cannot be patched must block SMB via host-based or network firewalls
- All servers must have up to date anti-malware protection
If in any doubt at all, please don’t hesitate to contact the UBC IT Service Desk at http://www.it.ubc.ca/helpdesk
More Information
https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
https://technet.microsoft.com/en-us/library/security/ms17-012.aspx
https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
https://isc.sans.edu/forums/diary/Massive+wave+of+ransomware+ongoing/22412/