KB Article | Forcepoint Support
Support
  1. Home
  2. Knowledgebase

WannaCry Ransomware Vulnerability

  • Article Number: 000012832
  • Products: Forcepoint DLP, Forcepoint Email Security, Forcepoint Web Security
  • Version:
  • Last Published Date: May 19, 2017

Problem Description

Published Date: May 17, 2017
Last Update: June 21, 2017
KBA Status: Final
KBA Severity: High
CVE Numbers:  
Not applicable
 
KBA Summary

The Forcepoint Product Security Incident Response Team (PSIRT) has been monitoring the recent reports related to the WannaCry (also known as WannaCrypt, WannaCrypt0r 2.0, WannaCry, Wanna Decryptor, or Wcry) vulnerability and investigating its potential effect on Forcepoint products. This article will be updated as additional information becomes available.

WannaCry is an encryption-based ransomware attack, which started spreading globally on May 12, 2017. The malware encrypts files on affected systems using AES and RSA encryption ciphers, allowing hackers to decrypt system files using a unique decryption key. WannaCry changes the computer's wallpaper with messages, asking victims to download the decryptor from Dropbox and demanding hundreds in bitcoins to get their files back.

The malware is spread via SMB or the Server Message Block protocol typically used by Windows machines to communicate with file systems over a network. An infected machine would then propagate the infection to other at-risk boxes.

The PSIRT has been working with the Forcepoint Engineering escalation teams to better understand if our products could be affected by installing the Microsoft MS17-010 Windows patch or disabling SMBv1, given the SMB protocol is used by a number of processes (e.g., Content Gateway proxy authentication). 

We have determined that:
  1. Installing the patch recommended by the Microsoft MS17-010 security bulletin on your servers, including the TRITON Manager, does not affect the normal operation of Forcepoint products.
To ensure the continued normal operation of your Forcepoint solution, you should apply the Microsoft MS17-010 Windows patch.
  1. Disabling SMBv1 or updating to a later version of SMB within your environment will cause issues with some Forcepoint products. Our engineering teams are researching potential future fixes to allow for the upgrade to later versions of SMB (i.e., v2) but at this time, to avoid issues with Forcepoint products, it is not recommended that SMBv1 be disabled or updated.

KBA Detailed Information

For additional details, see the Forcepoint Security Labs blog about this vulnerability.

Resolution

Workarounds

Not applicable.

Hotfix and Information About Other Fixes

Not applicable. 

Article Feedback



Thank you for the feedback and comments.

Want 24/7 Tech Support?

Learn more