EternalChampion, EternalRomance, and EternalSynergy Modified to Exploit All Windows Versions since Windows 2000
Over the past year, an NSA exploit dubbed EternalBlue, which was released by a hacking group known as The Shadow Brokers, dominated headlines largely due to its role in the WannaCry,NotPetya, and Bad Rabbit cyber-attacks. Other exploits leaked by the hacking group did not garner as much attention because they could only be used to target a small number of outdated Windows distributions. However, RiskSense security researcher Sean Dillon recently modified the source code of three of these lesser-known exploits – EternalChampion, EternalRomance, and EternalSynergy – to affect all unpatched Windows OS versions since Windows 2000. The exploits overwrite the SMB connection session structures to gain administrative/SYSTEM access. EternalRomance and EternalSynergy are now capable of exploiting CVE-2017-0143, a type confusion vulnerability between WriteAndX and Transaction requests, and EternalSynergy and EternalChampion can now exploit CVE-2017-0146, a race condition vulnerability for Transaction requests. The NJCCIC recommends users and administrators of affected Windows distributions review Dillon’s GitHub post for additional details, including a full list of affected systems, and apply the critical updates to patch the aforementioned vulnerabilities or disable SMBv1 for those systems that cannot be updated immediately.