CVE-2016-3345
published 2016-09-14CVE-2016-3345: The SMBv1 server in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT…
PriorityP267high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EPSS
32.46%
98.1th percentile
The SMBv1 server in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold, 1511, and 1607 allows remote attackers to execute arbitrary code via crafted packets, aka "Windows SMB Authenticated Remote Code Execution Vulnerability."
Affected
16 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_server_2008 | — | — |
| microsoft | windows_server_2012 | — | — |
| msrc | windows_10 | — | — |
| msrc | windows_10_version_1511 | — | — |
| msrc | windows_10_version_1607 | — | — |
| msrc | windows_7 | — | — |
| msrc | windows_8.1 | — | — |
| msrc | windows_rt_8.1 | — | — |
| msrc | windows_server_2008 | — | — |
| msrc | windows_server_2008_r2 | — | — |
| msrc | windows_server_2012 | — | — |
| msrc | windows_server_2012_r2 | — | — |
| msrc | windows_vista_service_pack_2 | — | — |
| msrc | windows_vista_x64_edition_service_pack_2 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Vulnerability is specific to SMBv1 server; target SMBv1 traffic (TCP port 445 / 139) from authenticated sessions sending specially crafted packets ↗
- →Only SMBv1 is impacted; detection should focus exclusively on SMBv1 protocol traffic, not SMBv2 or later ↗
- →Exploitation requires prior authentication and file-open permissions on the target SMBv1 server; alert on authenticated SMBv1 sessions followed by anomalous or malformed request patterns ↗
- →On Vista/Server 2008/Windows 7/Server 2008 R2 the impact is RCE; on later OS versions the symptom is the system stopping to respond until manually restarted — unexpected SMB-related system hangs/reboots on patched-but-SMBv1-enabled hosts are a post-exploitation indicator ↗
- ·Exploitation is limited to SMBv1; environments that have already disabled SMBv1 are not affected by this CVE ↗
- ·Affected OS scope is Windows Vista SP2, Server 2008 SP2/R2 SP1, Windows 7 SP1, Windows 8.1, Server 2012 Gold/R2, RT 8.1, and Windows 10 Gold/1511/1607 — detections should be scoped to these platforms ↗
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
vendor_msrc5.0MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-54v6-6xf9-47gf: The SMBv1 server in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8
ghsa_unreviewed·2022-05-14
CVE-2016-3345 [HIGH] CWE-284 GHSA-54v6-6xf9-47gf: The SMBv1 server in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8
The SMBv1 server in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold, 1511, and 1607 allows remote attackers to execute arbitrary code via crafted packets, aka "Windows SMB Authenticated Remote Code Execution Vulnerability."
Microsoft
Windows SMB Authenticated Remote Code Execution Vulnerability
vendor_msrc·2016-09-13·CVSS 5.0
CVE-2016-3345 [HIGH] Windows SMB Authenticated Remote Code Execution Vulnerability
Windows SMB Authenticated Remote Code Execution Vulnerability
Description: For Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 operating systems, a remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) Server handles certain requests when an authenticated attacker sends specially crafted packets to the SMBv1 server. The vulnerability does not impact other SMB Server versions.
On later operating systems, an attacker who successfully exploited this vulnerability could cause the affected system to stop responding until it is manually restarted.
To exploit the vulnerability, an attacker would first need to authenticate to the SMBv1 Server and have permission to open files on the target server before attempting the a
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
http://www.securityfocus.com/bid/92859http://www.securitytracker.com/id/1036803https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-114http://www.securityfocus.com/bid/92859http://www.securitytracker.com/id/1036803https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-114
2016-09-14
Published