AnsweredAssumed Answered

ETERNALBLUE being detected after patch installation (WK3)

Question asked by Abner Almeida on May 26, 2017
Latest reply on Jun 5, 2017 by Kyle Schuster

Hello, Community.

 

We’re still facing some problems/doubts regarding the remediation of some vulnerabilities related to the Shadow Brokers’ exploits, more specifically the ETERNALBLUE exploit.

Our Windows team applied patches to 400+ servers, including the KB4012598, released from Microsoft for systems running Windows XP, Windows Server 2003 and Windows 8.

But even after these patches have been applied and the servers have been rebooted, we’ve found some examples of the following case:

 

The server SW06TB389 (running Windows Server 2003 Service Pack 2)  received the patch on Saturday (May, 13rd).

 

 

After patch installation, the system was rebooted

 

 

The patch, from what I know, doesn’t remove the Registry Keys related to SMB (whatever the version is).

Well, in fact the registry key persisted after the patch was installed and smb v1 kept running.

 

 Buuuut, in the scan we ran on Monday (May, 15th), as you can see, the QID 91360 (of the ETERNALBLUE  exploit) was detected

 

 

 

Pointing that the HKLM\SYSTEM\CurrentControlSet\Services\mrxsmb exist.

 

But, if the patch was applied, shouldn’t this vulnerability (at least this one) be fixed?

 

I mean, according to Robert Dell’Immagine, from Qualys:

 

 

This is a screenshot taken from his response to my own question in the Community.

 

Another thing: 

 

Qualys seems to be searching for the service only in this Key:

HKLM\SYSTEM\CurrentControlSet\Services\mrxsmb

But Microsoft, in their Workaround section on this vulnerability, only describes changes to be made in this key:

HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters

Our Windows team has followed Microsft's intructions, but Qualys keeps pointing to the first one and detects the servers as vulnerable. What's the difference between both of them? Should the first one be changed (or deleted) even if the patch was applied?

 

I can’t help our Windows team if I can’t be 100% sure that the information provided by Qualys is compliant with Microsoft’s info.

Can anybody help me to solve this doubt?

 

Thank you so much!

Outcomes