Eternal Blues – Day 4 (important update)

It’s been quite a day. More than 2,000 scans in the past 24 hours and over 6,000 in total.

IMPORTANT UPDATE

My first priority for today was fixing the reported issues (I actually took a day off work). There were some scenarios of wrong detection – it mainly happened with Windows 2003, but are likely to reproduce with other versions as well (the issue was reading 2 overridden bytes). I can’t know the exact likelihood of reproduction, but I roughly estimate it with probability of 1%-3% – which means approximately 2-8 hosts out of the default 256 hosts scan. If only half of these IP are in use, it’ll be 1-4 hosts with chances of result mismatch.

Therefore, people who scanned with version 0.0.0.4 or earlier:
I encourage you to take another scan with the latest version . Thankfully, a few people made contact and reported about these mismatches on day 2. They’ve verified today version 0.0.0.5 and it reported 100% correct results.

How this tool works?

I get a lot of questions on what’s the logic behind getting a “YES” (vulnerable) result for a host. People were wondering whether the check was just “pinging the host”, or “checking SMBv1 status”, or “finding shares”. The answer to all three is “no”.

Eternal Blues checks the existence of the EternalBlue vulnerability by sending 4 crafted SMB messages. There are many references online for the technical stuff. I think the best executive summary I read was Rapid7′s:

“…it connects to the IPC$ tree and attempts a transaction on FID 0. If the status returned is “STATUS_INSUFF_SERVER_RESOURCES”, the machine does not have the MS17-010 patch.”

Also seems like a patched host (with MS17-010) will return STATUS_INVALID_HANDLE or STATUS_ACCESS_DENIED.

The 4 crafted SMB messages are:

  • SMB Negotiate Protocol
  • SMB Session Setup AndX Request
  • SMB Tree Connect (to IPC$)
  • SMB Peek Named Pipe

Getting STATUS_INSUFF_SERVER_RESOURCES as the SMB status of the 4th message means host is vulnerable.

What’s next?

  • Releases visibility (communicating new content for each version)
  • Some bug fixes (mainly UI, hopefully no more mismatches)
  • Taking some feature requests
  • Statistics. Prepare for some (super) Power BI

 

3 thoughts on “Eternal Blues – Day 4 (important update)”

  1. Hi there,

    First of all thank for taking the time to develop this tool, it’s easy to use and gives us straight forward visibility into how vulnerable we are regarding the eternal blue issue.

    The one thing I’m asking for as an improvement is that you give us the ability to execute scans in different subnets without having to exit the app and execute it again.

    Once again thanks for this awesome tool.

    Regards.

  2. I think I have to wait until tomorrow to run this. I’m fried. If it comes back bad I need it not to be at night. Thank you for doing this. It makes me feel like I’m being proactive.

Leave a Reply to Brenda Bloom Cancel reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>