Attacker Value
Very High
(2 users assessed)
Exploitability
Very High
(2 users assessed)
User Interaction
None
Privileges Required
Low
Attack Vector
Network
1

CVE-2017-0143

Disclosure Date: March 17, 2017
Exploited in the Wild
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka “Windows SMB Remote Code Execution Vulnerability.” This vulnerability is different from those described in CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, and CVE-2017-0148.

Add Assessment

2
Ratings
Technical Analysis

This CVE made it into US-CERT’s “Top 10” bulletin released in May, 2020 – https://www.us-cert.gov/ncas/alerts/aa20-133a / https://web.archive.org/web/20200512161248/https://www.us-cert.gov/ncas/alerts/aa20-133a

  • Vulnerable Products: Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016
  • Associated Malware: Multiple using the EternalSynergy and EternalBlue Exploit Kit
  • Mitigation: Update affected Microsoft products with the latest security patches
1
Ratings
Technical Analysis

Vulnerability:

  • Remote code execution vulnerabilities exist in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerabilities could gain the ability to execute code on the target server. To exploit the vulnerability, in most situations, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv1 server.

Vulnerability Disclosure date:

  • 2017-03-14

Operating Systems Affected:

  • Windows 2000 SP4
  • Windows XP SP2, SP3
  • Windows 2003 SP2 and R2 SP2
  • Microsoft Windows Vista SP2
  • Windows Server 2008 SP1, SP2 and R2 SP1
  • Windows 7 SP1
  • Windows 8.1
  • Windows Server 2012 Gold and R2
  • Windows RT 8.1
  • Windows 10 Gold, 1511, and 1607 and Pro 10240
  • Windows Server 2016

Vulnerability Severity:

  • Critical

Vulnerability Fix:

  • Apply the MS17-010 security update.

Vulnerability POC:

NSA Exploit Information:

  • Eternalblue requires only access to IPC$ to exploit a target while other exploits require access to named pipe too. So the exploit always works against Windows < 8 in all configuration (if tcp port 445 is accessible). However, Eternalblue has a chance to crash a target higher than other exploits.
  • Eternalchampion requires access to named pipe. The exploit has no chance to crash a target.
  • Eternalromance requires access to named pipe. The exploit can target Windows < 8 because the bug for info leak is fixed in Windows 8. The exploit should have a chance to crash a target lower than Eternalblue. I never test a reliable of the exploit.
  • Eternalsynergy requires access to named pipe. I believe this exploit is modified from Eternalromance to target Windows 8 and later. Eternalsynergy uses another bug for info leak and does some trick to find executable memory (I do not know how it works because I read only output log and pcap file).
CVSS V3 Severity and Metrics
Base Score:
8.8 High
Impact Score:
5.9
Exploitability Score:
2.8
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
Low
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Vendors

  • microsoft,
  • philips,
  • siemens

Products

  • acuson p300 firmware 13.02,
  • acuson p300 firmware 13.03,
  • acuson p300 firmware 13.20,
  • acuson p300 firmware 13.21,
  • acuson p500 firmware va10,
  • acuson p500 firmware vb10,
  • acuson sc2000 firmware,
  • acuson sc2000 firmware 5.0a,
  • acuson x700 firmware 1.0,
  • acuson x700 firmware 1.1,
  • intellispace portal 7.0,
  • intellispace portal 8.0,
  • server message block 1.0,
  • syngo sc2000 firmware,
  • syngo sc2000 firmware 5.0a,
  • tissue preparation system firmware,
  • versant kpcr molecular system firmware,
  • versant kpcr sample prep firmware

Exploited in the Wild

Reported by:
Technical Analysis