If SMBv1 client/server are disabled, do I still need MS17-010 patch?

1

I don't understand this one:

There are contradictory things I read about how to mitigate WannaCry incident, some say if SMBv1 client and server are disabled, MS17-010 patch is NOT required, others say even if SMBv1 client and server are disabled, MS17-010 patch is STILL required.

So, I really don't understand now to whom I should listen, if SMBv1 client and server are disabled, where does installing the MS17-010 patch help in preventing WannaCry spreading to a non-infected PC as long as the aforementioned services are disabled i.e. SMBv1 where the worm part of this ransomware is exploiting are no longer enabled?

Please explain, it's useful for me to find out my mistake in case I did not install MS17-010 patch, because I have not installed the patch anywhere, I just disabled SMBv1 client and server through registry on the group policy.

Does the patch fix bugs in SMBv1 that allows me to re-enable SMBv1? Still microsoft says don't use SMBv1, so why would I bother about installing MS17-010 patch? As long as MS17-010 patch doesn't prevent WannaCry action as well..

I called many colleagues, many of them are still confused about this issue and know not what to do about it. Please don't close this question, it is very important to directly clarify this issue, and find it directly on google search.

elekgeek

Posted 2017-06-01T01:04:59.957

Reputation: 133

Answers

3

You do not need the MS17-010 patch if you disable SMBv1

As explained in the Executive Summary of Microsoft Security Bulletin MS17-010:

This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow remote code execution if an attacker sends specially crafted messages to a Microsoft Server Message Block 1.0 (SMBv1) server.

This "specially crafted message" is an exploit known as EternalBlue. Its role in spreading WannaCry is discussed in Cisco’s threat intelligence team's excellent blog post about the ransomware. In brief:

The malware uses ETERNALBLUE for the initial exploitation of the SMB vulnerability.

The Wikipedia article for the EternalBlue exploit confirms it is version 1 of Microsoft's implementation of SMB that is vulnerable:

EternalBlue exploits a vulnerability in Microsoft's implementation of the Server Message Block (SMB) protocol. This vulnerability is denoted by entry CVE-2017-0144 in the Common Vulnerabilities and Exposures (CVE) catalog. The vulnerability exists because the SMB version 1 (SMBv1) server in various versions of Microsoft Windows accepts specially crafted packets from remote attackers, allowing them to execute arbitrary code on the target computer. [Emphasis mine.]

Bottom line, if SMBv1 is disabled on a machine, then the EternalBlue exploit is not possible and WannaCry cannot infect the machine over SMB.

Note: SMBv1 is the only version of the protocol available on Windows Server 2003 and XP. Therefore disabling it also fully disables file sharing on these systems.

Install the MS17-010 patch anyway!!

Yes, you should stop using SMBv1. You should have stopped using it a long time ago. But even if you disable it, install this security patch anyway.

Doing so is NOT redundant. It's prudent. Should someone else come behind you and re-enable SMBv1 and the system not be patched, the machine again becomes vulnerable to an exploit that is capable of compromising the host easily and in an undetected manner. And the next guy might not be aware of the land mine he's enabled.

You don't need that liability hanging over any machine you're responsible for.

I say Reinstate Monica

Posted 2017-06-01T01:04:59.957

Reputation: 21 477

Another thing, it doesn't mean that installing MS17-010 patch allows me in anyway to use/enable SMBv1, the purpose of the patch was to disable SMBv1 or to fix the vulnerability in SMBv1? – elekgeek – 2017-06-01T10:32:34.407

The patch resolves the vulnerability in SMBv1. It does not disable SMB. – I say Reinstate Monica – 2017-06-01T12:46:23.813

i see, then i can use it without any issues... – elekgeek – 2017-06-01T13:52:09.650

of course, it was a good answer. – elekgeek – 2017-06-06T18:25:37.787

Asked: 2017-06-01T01:04:59.957

Viewed: 1 398 times

Active: 2017-06-01T04:31:49.580