In the last few days, we saw how "WannaCry" ransomware crippled 3 million Windows systems around 150 countries. To know technical details on "WannaCry" click here.
In this article, we will cover step by step procedure to protect against"WannaCry" ransomware using Saner Solution.
"WannaCry" Infection Method:
Before we jump to a solution, we need to understand the infection method to protect against "WannaCry". "WannaCry" make use of "EternalBlue" exploit, which is one of the exploits leaked to the public in mid of April 2017 by a group called the Shadow Brokers. "WannaCry" exploits a vulnerability in Server Message Block 1.0 (SMBv1) protocol (the issue is in the way that the SMBv1 server handles certain requests) and gains the ability to execute code on the target system. To exploit this vulnerability authentication is not required.
CVE-2017-0144 CVE identifier is assigned to this vulnerability.
In response to Shadow Brokers action, Microsoft released several patches addressing several vulnerabilities.
As we can see, in the above image, vulnerability (CVE-2017-0144) used by "EternalBlue" has been addressed by Microsoft in MS17-010 patch. This patch also addresses following CVE-2017-0143, CVE-2017-0145, CVE-2017-0146, CVE-2017-0147 and CVE-2017-0148 additional vulnerabilities.
How to protect against "WannaCry":
There are two methods to protect from "WannaCry" ransomware,
- Solution: Patch the vulnerability by applying MS17-010 (Recommended)
- Workaround: Disable SMBv1
Now we will demonstrate how easy it is to use "Saner Solution" to protect against"WannaCry" by applying the patch or workaround to a group of devices in a network.
Protecting against "WannaCry" using Saner Solution:
For illustration, we have chosen "Windows 7" system as it’s the highest number of users presently.
How to check if a system is affected by the CVE-2017-0144 vulnerability?
Step 1: Click on "Manage" section which appears on the left side of Saner Solution after login. Then click on the "Host Name" link to see a particular system information (Figure 1).
Step 2: Figure 2 shows "sp-win7-x32-dmo-3135" system information as appears in Saner Solution and this system is used to demonstrate on, how to protect from "WannaCry" by fixing the CVE-2017-0144 vulnerability.
Step 3: Click on "Vulnerabilities" section in the system information page. We can see the following vulnerability CVE-2017-0144 has been reported (Figure 3), which is being exploited by "WannaCry" to get into the system.
Step 4: Click on "Patches" section then "Missing Patches" tab. We can see the following patch KB4012212 needs to be installed to protect from "WannaCry".
How to remediate CVE-2017-0144 vulnerability using Saner Solution?
Step 1: Click on "CMD & Ctrl" section on the left side. Then click on "Create Command" (Figure 5).
Step 2: Click on "Remediation" icon as shown in figure 6
Step 3: Select "Remediation Job" from the drop-down list as shown in figure 7.
Step 4: Select full "group" or specific "device" inside the group, for which patch needs to be applied, for example, "sp-win7-x32-dmo-e135" device under "Windows 7" group. Next step, click on the arrow button in the middle of the "Remediation Job" window which says "click to see patches and devices" (Figure 8).
Step 5: Select patch "Microsoft Windows" -> "Vendor Upgrade" for a specific Windows you want to patch, for example, select "Microsoft Windows 7 sp1 x86" ->"Vendor upgrade" as shown figure 9.
Step 6 (Optional): Click on"?" next to "Vendor Upgrade" to see the patches included, for example, we need to apply "KB4012212" which is included in the "Microsoft Windows 7 sp1 x86" patch, as shown in figure 10.
Step 7: Select "select time to apply" from the drop-down list, which will tell when the patch should be applied "immediate" or "after scheduled scan" or "custom" time. Enter "Job name" and"Job Description" in the text box. For example, job name is "WannaCryPatchRemJob" as shown in figure 11.
Step 8: Click on "Add" button to create "Remediation Job", as shown in figure 12.
Step 9: Remediation job with "WannaCryPatchRemJob" name is created successfully, as shown in figure 13.
Step 10 (Optional): To see the status of Remediation job click on status, for example "Completed 0 out of 1" as shown in figure 14.
Step 11 (Optional): Remediation status shows overall status as "ongoing" and specific patch as "queue" as shown in figure 15.
Step 12: Sometimes successful remediation required multiple systems to be a reboot. If remediation job Overall Status says "reboot needed" as shown in figure 16, reboot the systems to continue the remediation process.
Step 13: Once the remediation job is successful, the status of Overall Status changes to "success" (Figure 17).
To download the White Paper, click on the below PDF attachment.