EternalSynergy is a tool released by The Shadow Brokers group as part of an exploitation framework released to the public domain. It leverages a remote code execution (RCE) vulnerability located in the SMB service present in Windows 2012 SP0 and Windows 8 SP0.
- The attacker sends a large NT Trans NT RENAME (0xA0) request (information disclosure attempt).
- The victim responds with a large NT RENAME packet believed to be a leak of kernel heap memory.
- The attacker sends a large NT Trans Secondary request (0xA1) believed to contain an overflow exploit, resulting in RCE capabilities.
- The victim responds with smaller NT RENAME packet, containing further indicators of leaked kernel heap memory. The victim also responds with NT_STATUS_BUFFEROVERFLOW.
- The target host is Windows 2012 SP0 not patched to MS17-010
- The target host is Windows 8 SP0 not patched to MS17-010
Alert Logic Coverage
Alert Logic® has evaluated its customer base for exposure to the exploit and has developed signatures for mitigating the threat depending on the security service in place.
The Network-Based Intrusion Detection System (IDS) has been updated with the new signatures for this exploit when detected via Alert Logic Threat Manager™. If this signature is detected, an incident is generated in the Alert Logic console.
Recommendations for Mitigation
To mitigate the vulnerability, upgrade to a non-vulnerable version of the software.