NAVANEM
CVE-2017-0144⚡ exploited in the wild

EternalBlue, SMBv1 unauthenticated RCE in Windows

The SMBv1 server in Microsoft Windows Vista SP2, Windows Server 2008 SP2/R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold, 1511, and 1607, and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka 'Windows SMB Remote Code Execution Vulnerability'. Originally leaked by the Shadow Brokers from the NSA's toolkit.

Overview

CVE-2017-0144, commonly known as "EternalBlue," is a critical wormable remote code execution vulnerability in Microsoft's SMBv1 (Server Message Block version 1) protocol implementation. Originally developed by the NSA as part of their cyber toolkit, it was publicly leaked by the Shadow Brokers hacking group in April 2017. Within weeks, it was weaponized to power the devastating WannaCry and NotPetya ransomware campaigns, causing billions of dollars in damage worldwide.

Technical Details

The vulnerability exists in how the Windows SMBv1 kernel driver parses Trans2 (Transaction 2) packets. A flaw in buffer handling allows attackers to write data outside an allocated buffer, leading to a buffer overflow condition. This enables remote attackers to execute arbitrary code at the kernel level without any authentication by sending specially crafted SMB packets to port 445.

The exploit chain achieves kernel-mode code execution, giving attackers complete control over the affected system. Because SMBv1 operates at the kernel level and requires no user interaction or credentials, the vulnerability is considered "wormable", malware can propagate automatically across networks without human intervention.

Impact

The real-world impact of EternalBlue was catastrophic:

  • WannaCry (May 12, 2017): Infected over 200,000 systems across 150 countries, impacting the UK's NHS, Telefónica, FedEx, Renault, and Honda. Estimated damages: $4-8 billion.
  • NotPetya (June 27, 2017): Combined EternalBlue with credential theft to wipe data globally. Maersk reported $300M in losses; Merck lost $870M.

Both attacks occurred despite Microsoft releasing patch MS17-010 two months prior. The vulnerability remains relevant today in legacy environments including industrial OT systems, air-gapped Windows 7/Server 2008 machines, point-of-sale systems, and medical imaging equipment.

Mitigation

  1. Apply MS17-010 immediately on all Windows systems, including out-of-band patches Microsoft released for Windows XP/2003/2008
  2. Disable SMBv1 on both server and client sides where not strictly required
  3. Block ports 139/445 at network perimeters, SMB should never be Internet-accessible
  4. Audit legacy systems including OT environments, kiosks, and inherited infrastructure
  5. Monitor for outbound SMB traffic which may indicate compromised hosts

Detection

Detection methods include:

  • Network monitoring for unusual SMB traffic patterns on ports 139/445
  • IDS/IPS signatures for EternalBlue exploit attempts
  • Vulnerability scanning specifically for MS17-010 patch status
  • Flow log analysis for outbound SMB connections indicating potential beaconing
  • PowerShell commands to check SMBv1 status: Get-WindowsOptionalFeature -Online -FeatureName SMB1Protocol