Revision 1.0, 17-May-2017
This is an important Security Bulletin from Scala regarding the “WannaCrypt” (and related) malware attack. Internet security experts generally consider the WannaCrypt malware that exploits the EternalBlue weakness to be serious and worth urgent attention.
At Scala, we take our partners’ and our customers’ security seriously. We’d like to share with you the status of Scala’s products and services, and what steps we recommend you take.
As you may know, this week the Internet is experiencing a significant ransomware cyber-attack variously called WannaCrypt, WannaCry, WannaCrypt0r, or Wanna Decryptor. This attack propagates using an exploit against Microsoft Windows nicknamed EternalBlue. (The name DoublePulsar is also associated with this outbreak; it is a backdoor/exploit tool upon which WannaCrypt et al are built.)
EternalBlue is a family of exploits described by CVE‑2017‑0143, CVE‑2017‑0144, CVE‑2017‑0145, CVE‑2017‑0146, and CVE‑2017‑0148. This exploit uses the SMB feature, which is how Windows accomplishes network file-sharing, printer-sharing, and related things. This vulnerability affects essentially all versions of Windows, and is therefore relevant for systems that run on the Windows operating system, such as Scala Enterprise Designer, Scala Enterprise Content Manager, and the PC version of Scala Enterprise Player.
Microsoft has released a critical fix for affected supported versions of Windows, as described in Microsoft Security Bulletin MS17‑010. (Exceptionally, Microsoft has made available a fix for the otherwise out-of-support Windows XP and Windows Server 2003.)
Scala’s IT security teams have already applied the relevant fixes to the Windows operating system of any cloud-based or Scala-hosted Content Manager systems. Our customers, or the agent they have engaged to handle their maintenance, should take appropriate action to patch the Windows operating system for any Designer system, PC Player system, and any on-premise Content Manager. We offer the following guidance to assist in that process.
Scala Player / Designer / Content Manager Systems that are Unaffected
If any of the following is true, those Scala systems are unaffected (cannot be remotely attacked by this malware):
- Scala system has already been patched with the March 2017 Windows patch from Microsoft
- Scala system is behind a firewall that blocks SMB traffic (port 445) (if other machines behind the same firewall are not infected)
- Scala system’s “network type” is set to Public, which also blocks SMB traffic
- Scala system where the Network Sharing services are stopped and disabled
- Scala Player is not a Windows PC (e.g. Android, Chromebox, Samsung)
Verifying that Windows is Patched
From information gathered from various online sources, we can summarize as follows:
- From a command prompt or the Cortana search box, type winver
- If you have the “Creators Update” version 1703, you are OK
- If you have the “Anniversary Update” version 1607, ensure you have Build 14393.953 or later
- If you have the “Fall Update” version 1511, ensure you have Build 10586.839 or later
- If you have the original release version 1507, ensure you have Build 10240.17319
Windows 7 / Windows Server 2008 R2
Look to see if you have any of the following security updates (you only need one):
- KB4019264: 2017-05 Security Monthly Quality Rollup for Windows 7
- KB4015552: April, 2017 Preview of Monthly Quality Rollup for Windows 7
- KB4015549: April, 2017 Security Monthly Quality Rollup for Windows 7
- KB4012215: March, 2017 Security Monthly Quality Rollup for Windows 7
- KB4012212: March, 2017 Security Only Quality Update for Windows 7
You can check as follows:
- Windows 7: under Start > Control Panel > Programs and Features, then click View installed updates.
- Windows 10: under Start > Control Panel > System and Security, then under Windows Update click View installed updates.
- Any version of Windows: from an administrative command prompt, type wmic qfe get hotfixid to see the list of installed hotfixes.
How to Patch Windows on a Content Manager or Designer System
For any system that you can directly access or manage, you can use standard tools such as Windows Update or other administrative tools to ensure the necessary Microsoft hotfix is applied. Make sure you select the correct hotfix for your operating system version and 64-bit / 32-bit variant.
How to Remotely Patch Windows on a Player
You can use Content Manager’s maintenance jobs to remotely apply the necessary Microsoft hotfix to the Windows operating system on your Players. From the Microsoft Security Bulletin, make sure you select the correct hotfix for your operating system version and 64-bit / 32-bit variant.
How to patch a system depends on whether the Extended Write Filter (EWF) feature is enabled. EWF protects the system partition from being modified, and is enabled on many Player images.
Player Systems Without EWF Enabled
You need to download the hotfix and the PsExec utility from Microsoft, and prepare a simple batch file. You need to create a Content Manager maintenance job that sends those three components to the Player and invokes the batch file via PsExec. For full details, see Remote Installation of Microsoft Hotfixes on a Player.
Player Systems With EWF Enabled
On Player systems that do have EWF enabled, you need to perform extra steps to disable EWF before applying the fix, then enabling EWF after. As well, you should take extra steps such as disabling SMB during the period where EWF is disabled, in order to prevent infection at that time. For full details, see Remote Installation of Microsoft Hotfixes on a Player.
Security Practices and Considerations
This incident provides an opportunity to restate various relevant security practices and considerations.
Use of Windows Update
In general, Windows Update delivers to Players critical updates that are of value in maintaining overall network security. However, in rare cases a Windows Update has been known to introduce undesirable side-effects that can potentially destabilize or disable a Player. While Microsoft generally repairs any such updates rapidly, it is not always going to be the case that an unattended PC will recover on its own.
The best practice is to manage updates by configuring Windows Server Update Services (WSUS). A WSUS server lets you control the timing and selection of which updates are delivered to players, letting you prove critical updates first on a test-Player in the lab, before allowing the live Players to update. (Your business’s policy on Windows Update may require it to be enabled.)
Use of Anti-Virus Software
While anti-virus software can protect against certain attacks, the anti-virus engines themselves can negatively affect Player performance and Player stability, and themselves can be the entry-point for an attack. In general computing, most threats arise from users visiting malicious web sites or opening malicious documents, neither of which is normally a concern on a tightly managed digital signage network.
The best practice is to use anti-virus software on systems where content and files can be introduced into the network. (Your business’s policy may require anti-virus to be installed.)
Use of EWF
EWF (Enhanced Write Filter) is a Windows protection technology that prevents writing to the system partition of the hard drive. Upon reboot, the intended state of that partition is freshly available. This is very effective at preventing most malware from taking up residence, since a reboot flushes the problem away. A ransomware style malware might still encrypt media files on other partitions, but these can be re-sent after cleanup. Managing system updates and patches on an EWF-enabled system is more involved.
The SMB services are used by Windows for network file sharing and printer sharing. These are often not needed. If you determine that you don’t need SMB services, you can disable SMB in various ways, including:
- Block the SMB port number 445 using routers and firewalls
- Disable the Network Sharing services at the OS level
- Ensure the Player’s network connection type is set to Public, which disallows SMB connections
Please subscribe to the news feed at http://scala.com/releases/ for all the latest updates and security news from Scala. If the situation warrants, we will update this bulletin.