This month’s Microsoft patch updates include one particular vulnerability that is raising concerns: CVE-2017-8620, which affects all versions of Windows from 7 onwards. Microsoft explained, “in an enterprise scenario, a remote unauthenticated attacker could remotely trigger the vulnerability through an SMB connection and then take control of a target computer.”
In short, this is a wormable bug affecting all supported versions of Windows. The parallels with the WannaCry and NotPetya vulnerabilities are clear — indeed, Check Point described CVE-2017-8620 as ‘The Next WannaCry Vulnerability’. All that is currently missing is full disclosure of the vulnerability and a usable exploit (WannaCry and NotPetya exploited the leaked NSA exploit known as EternalBlue).
Noticeably, SANS describes this vulnerability as ‘more likely’ to be both disclosed and exploited in the future. Once this happens, the situation could precisely parallel WannaCry/NotPetya. Microsoft has done what it can (or as much as it is willing to do); it has patched the vulnerability. The earlier WannaCry vulnerability had also been patched; but WannaCry (and NotPetya) still happened (and the effects continue to be felt).
“The importance of patching systems cannot be underestimated,” says David Kennerley, director of threat research at Webroot. “There will always be zero-day vulnerabilities, but it’s worth noting that the vast majority of exploit attacks seen in the wild involve cybercriminals targeting known vulnerabilities. These vulnerabilities have already been fixed by the vendor, but the fix has not been deployed and installed by the end user. With any vulnerability that can result in remote code execution, there is always concern until users deploy and install patches. There is without doubt a window of opportunity for cybercriminals to take advantage.”
One concern for the CVE-2017-8620 vulnerability is that it could be adopted by nation-state actors. Absolute attribution of cyberattacks is difficult; but much current thinking is that the WannaCry attack was a somewhat botched ransomware attack (possibly originating from North Korea). The NotPetya ransomware attack is thought to be a disguised wiper attack primarily aimed at the Ukraine, and possibly by Russian ‘patriots’. Extrapolating this progress, one possible application of CVE-2017-8620 in the future could be its use by an adversarial nation-state employing it as a rapidly spreading worm wiper cyberweapon. State actors would certainly have the resources to uncover the vulnerability and develop an exploit.
The current concern is that since many users did not patch against WannaCry/NotPetya, they might not patch CVE-2017-8620 before it is exploited. The question becomes, why is industry apparently lax in its patch procedures? This is a complex issue with no easy answer.
“Patching will break stuff,” F-Secure security advisor Sean Sullivan explains. “And so you can’t just roll out patches into a live production environment without testing. It’s a matter of time and resources. There’s no escaping the need to test.”
This view is echoed by Wendy Nather, principal security strategist at Duo Security. The ‘production’ environments in healthcare are a good example. “Because patient safety is paramount,” she said, “healthcare systems cannot be updated if doing so will threaten their availability. Even if the software is patched, it requires a new round of safety certifications that take months.” It is noticeable that healthcare — and especially the UK’s National Health Service — was badly affected by the WannaCry outbreak.
Production environments are not the only problem area for IT departments. “Any system with external, highly entangled dependencies will take longer to update,” says Nather. Established international organizations that have perhaps acquired foreign companies in different legal jurisdictions could fall into this category. It could take years, she suggested, “as integration testing, certifications, regulatory alignment in multiple countries, and staged deployment must all be carefully scheduled.”
Embedded systems are likely to prove an increasing problem for patching as the IoT expands; both for embedded operating systems and proprietary software. Martin Zinaich, information security officer with the City of Tampa, gives an example. “Recently I was tracking down WannaCry attack traffic coming loud and strong from an IP address that I soon associated to an HP Scanner. Yes, a scanner — but a scanner that utilizes Windows POS. I now have to worry about large format scanners. Tomorrow it will be light bulbs, door locks and the candy machine.”
To add insult to injury, the scanner’s product data sheet specifically states, “Closed systems with very low risk of being infected by a virus, so no antivirus is required.” Vulnerabilities in IoT devices are now considered such a problem that US lawmakers have introduced a bill that will require vendors selling IoT devices to the US government to ensure that the devices are patchable.
While there are genuine reasons for some companies to delay patching — David Harley, senior research fellow at ESET calls it “a balance between risking difficulties caused by a problematic patch, and risking issues caused by unpatched vulnerabilities” — there are still cases where organizations don’t see patching as a priority. “And that, he adds, “has become more dangerous than ever in recent years.”
What becomes clear is that there are likely to be many unpatched systems around the world left vulnerable by the time an exploit for CVE-2017-8620 becomes available. Is Check Point correct in saying this could be the next WannaCry? Replies are guarded. “It might be a bit hyperbolic,” comments Sullivan, “but isn’t wrong. It may be too soon to worry about the ‘next’ attack (as they are very often different than the last) but it’s not too soon to be learning lessons from the WannaCry incident.” It’s not inevitable that it will be the next WannaCry, adds Harley: “but it’s not impossible.”
This just leaves the final question: if patching CVE-2017-8620 is not possible, how should companies protect themselves. The first requirement is that anti-virus defenses should be kept up to date. It is possible, but not immediately verifiable, that Microsoft will privately disclose the vulnerability to the anti-virus industry as part of the long-running practice of information-sharing between the defenders. “I wouldn’t be surprised to see anti-malware products include detection of the vulnerability or potential exploits,” comments Harley.
Defense in depth specifically aimed at preventing SMB worms will also help. F-Secure’s Jarno Niemela pointed out during the WannaCry outbreak that better firewall rules would have done much to mitigate the damage that was done. “Managing risk is not just about patching vulnerabilities,” says Sullivan.
Finally, if patching is planned but delayed, Microsoft’s recommended temporary mitigation against CVE-2017-8620 should be deployed: disable the WSearch facility within Windows.