cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3109
Views
7
Helpful
6
Comments
Asocha
Cisco Employee
Cisco Employee

Unless you've been living under a rock, you've heard of the WannaCry ransomware attack that has impacted servers around the world in the last few days.  Hopefully you and your customers haven't been victims of this attack. WannaCry is a ransomware program that targets Microsoft Windows operating systems, which can be spread by phishing emails and by using the EternalBlue exploit and DoublePulsar backdoor  to spread throughout a network.  Microsoft released a security fix in March of 2017 to address the issue, but (apparently) not everyone has installed it.  The security patch does require a restart of the server.

Here are some useful links that can help you understand the issue and protect your systems from this attack.

Cisco has released an official PSIRT notification for WannaCry.  This is a generic notice for all Cisco products that don't support Windows auto updates.

There is a new article on TechZone that also contains similar links and information.


Both Cisco articles reference the original Microsoft security bulletin: MS17-010.  This security update was provided 2 months before the WannaCry attack, so doesn't reference it explicitly.  However, WannaCry exploits weakness in Microsoft Server Message Block 1.0 (SMBv1) server, and this security bulletin addresses that weakness.

CCBU is exploring  the feasibility of disabling SMBv1 on our servers as a short term way to avoid WannaCry attacks without installing the security patch.  No problems have been found in our initial testing.  CCBU's recommendation is to apply the patch as soon as possible.  As a long term strategy it is in your customers' best interest to regularly install Microsoft Security updates to avoid problems like WannaCry.  As the old adage goes: an ounce of prevention is worth a pound of cure.

6 Comments
danielepasquini
Level 1
Level 1

When the update for a old server is not possible for framework crash for example, the only possible solution is disable the Microsoft Server Message Block 1.0 (SMBv1) and (SMBv2) with powershell resource.


P.S.

Framework update is very important for windows OS. I recommend, a system restore-point and snapshot, first

Any action on important add on features install.


Daniele

hcaldwel
Cisco Employee
Cisco Employee

Great blog post, Andrew!

I also wanted to share that I just learned about a Talos webinar coming up on Thursday, May 18, that will cover WannaCry and OAuth Phishing.  You can learn more about the session and register here.

Michael Green
Cisco Employee
Cisco Employee

Daniele - Important to note is UCCE does utilise SMB. We have confirmed that versions UCCE 9.0 and above do not use SMBv1, and have found no issues in our testing so far of disabling SMBv1 in UCCE versions 9.0+. However, versions prior to 9.0 (which use EOL Windows Server 2003 which predates SMBv2) such as UCCE 8.5 (which is EOL but some customers are still running), disabling SMBv1 will impact UCCE so we don't advise disabling SMBv1 for EOL versions.

danielepasquini
Level 1
Level 1

Normal this!

This is just for precaution!

I mean, once you've got your system in secure mode, then you think, restoring this with a new.

Daniele

lukasz_zwada
Level 1
Level 1

So for ucce 9.0+ we can disable SMBv1 but we can't disable SMBv2 and v3? What could happen if I disabled SMBv2/3 on UCCE 10.5?

Michael Green
Cisco Employee
Cisco Employee

SMB is used for some communication between AW and Logger in UCCE so with SMB disabled/blocked this communication will fail and could cause issues with configuration changes and reporting. Prior to 9.0 SMBv1 was used (as Windows 2003 only had SMBv1), post 9.0+ UCCE stopped using SMBv1. SMBv2/v3 can only both be disabled or enabled (eg: you can't just disable v2 or v3 it disables both of them).

Basically for 10.5 you can disable SMBv1 but dont disable v2/v3. We also recommend having the MS critical fixes in place as well.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: