Fix Soon

CVE-2017-0144

Remote Code Execution in Microsoft Windows SMBv1 Server

Summary

The SMBv1 server in Microsoft Windows handles specially crafted requests incorrectly, allowing remote code execution. An unauthenticated attacker can send malformed SMB packets to the service, typically on TCP 445, to trigger the vulnerable server-side code path. Successful exploitation can run code on the target host and has been used in worm and ransomware outbreaks.

Why Fix Soon?

5/6

No authentication required

Internal deployment

No user interaction needed

Exploitable in default configuration

Active exploitation in the wild

High impact vulnerability

Exploitation Details

Type

RCE (Remote Code Execution)

Is exploitable with default configuration?

Yes

Is authentication needed?

PoC / Exploit

Yes

exploit-db.com

Impact

Run arbitrary code on the vulnerable Windows host.

RCE (Remote Code Execution)

Exploitation Requirements

None — vulnerable in default configuration

Exploitation Process

An attacker sends a crafted packet to the Windows SMBv1 service, usually over TCP

The malformed SMB request triggers the vulnerable server-side handling path and can execute attacker-controlled code on the target system. Success is typically observed as remote code execution on the host and can enable worm-like spread to other unpatched machines.

Detection Resources

Manual Detection

support.microsoft.com

Script Detection

nmap.org

Scanner Detection

Tenable Nessus

Affected Software

Vendor:Microsoft

Product	Affected Versions
Microsoft Windows SMBv1 Server	Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows RT 8.1; Windows Server 2012 Gold and R2; Windows 10 Gold, 1511, and 1607; Windows Server 2016

Description

Windows is Microsoft's operating system for desktops and servers; SMBv1 is its legacy file-sharing server component.

Deployment:Typically internal

Protocol:SMB

Ports:445, 139

Affected ComponentSMBv1 server request handling in the Windows file-sharing service.

SMBv1 server request handling in the Windows file-sharing service.

Enterprise Usage

Very Low

Low

Medium

High

Very High

Vendor Size:Big

Vendor Notifications

https://learn.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010 https://support.microsoft.com/help/4013389 https://msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0144

Remediation

Workaround

Disable SMBv1 on affected hosts; use Microsoft KB2696547 to turn off SMBv1, or remove the SMB 1.0/CIFS File Sharing Support feature where supported.

support.microsoft.com

Patch

Not available

Update

Install MS17-010 / KB4013389 or the corresponding cumulative update for the affected Windows release.

support.microsoft.com

Threat Intelligence

EPSS Score94.3%

Probability of exploitation in the next 30 days

EPSS Percentile100%

Worse than 100% of all CVEs

Last updated: Loading...

CISA KEV

Listed

Active Exploitation

Active

cisa.gov

Threat Actors1

Lazarus Group (ZINC)

North Korean actor linked by Microsoft to WannaCry, which used CVE-2017-0144 to spread

Detection Rules1

Snort

OS-WINDOWS Microsoft Windows SMB remote code execution attempt

NVD Data

Published: Loading...Modified: Loading...

Description Summary

The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka "Windows SMB Remote Code Execution Vulnerability." This vulnerability is different from those described in CVE-2017-0143, CVE-2017-0145, CVE-2017-0146, and CVE-2017-0148.

CVSS Base Score

8.8

High

CVSS Vector (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Attack Vector (AV)

Physical

Local

Adjacent

Network

Attack Complexity (AC)

High

Low

Privileges Required (PR)

High

Low

None

User Interaction (UI)

Required

None

Scope (S)

Unchanged

Changed

Confidentiality (C)

None

Low

High

Integrity (I)

None

Low

High

Availability (A)

None

Low

High

CWE:—

NVD:CVE-2017-0144

Version From:4.0, 4.0

Version Upto:4.0e, 4.0e

Affected Software (CPE) (16)

•cpe:2.3:a:microsoft:server_message_block:1.0:*:*:*:*:*:*:*
•cpe:2.3:o:siemens:acuson_p300_firmware:13.02:*:*:*:*:*:*:*
•cpe:2.3:o:siemens:acuson_p300_firmware:13.03:*:*:*:*:*:*:*
•cpe:2.3:o:siemens:acuson_p300_firmware:13.20:*:*:*:*:*:*:*
•cpe:2.3:o:siemens:acuson_p300_firmware:13.21:*:*:*:*:*:*:*
•cpe:2.3:o:siemens:acuson_p500_firmware:va10:*:*:*:*:*:*:*
•cpe:2.3:o:siemens:acuson_p500_firmware:vb10:*:*:*:*:*:*:*
•cpe:2.3:o:siemens:acuson_sc2000_firmware:*:*:*:*:*:*:*:*
•cpe:2.3:o:siemens:acuson_sc2000_firmware:5.0a:*:*:*:*:*:*:*
•cpe:2.3:o:siemens:acuson_x700_firmware:1.0:*:*:*:*:*:*:*
•cpe:2.3:o:siemens:acuson_x700_firmware:1.1:*:*:*:*:*:*:*
•cpe:2.3:o:siemens:syngo_sc2000_firmware:*:*:*:*:*:*:*:*
•cpe:2.3:o:siemens:syngo_sc2000_firmware:5.0a:*:*:*:*:*:*:*
•cpe:2.3:o:siemens:tissue_preparation_system_firmware:*:*:*:*:*:*:*:*
•cpe:2.3:o:siemens:versant_kpcr_molecular_system_firmware:*:*:*:*:*:*:*:*
•cpe:2.3:o:siemens:versant_kpcr_sample_prep_firmware:*:*:*:*:*:*:*:*

Sources

Source	Article
learn.microsoft.com	Microsoft Security Bulletin MS17-010 - Critical
support.microsoft.com	MS17-010: Security update for Windows SMB Server
msrc.microsoft.com	Security Update Guide - Microsoft Security Response Center
www.cisa.gov	CISA Adds 15 Known Exploited Vulnerabilities to Catalog
nvd.nist.gov	NVD - CVE-2017-0144
www.microsoft.com	WannaCrypt ransomware worm targets out-of-date systems
blogs.microsoft.com	Microsoft and Facebook disrupt ZINC malware attack
nmap.org	smb-vuln-ms17-010 NSE script
support.microsoft.com	How to verify that MS17-010 is installed
tenable.com	CVE-2017-0144
snort.org	Snort - Rule Docs 1:42944
www.rapid7.com	Microsoft Windows: CVE-2017-0144: Windows SMB Remote Code Execution Vulnerability
www.exploit-db.com	Exploit for CVE-2017-0144

Priority History

Fix SoonLoading...

Initial analysis