CVE-2017-0004
published 2017-01-10CVE-2017-0004: The Local Security Authority Subsystem Service (LSASS) in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, and Windows 7 SP1 allows remote…
PriorityP353high7.5CVSS 3.0
AVNACLPRNUINSUCNINAH
EPSS
89.57%
99.8th percentile
The Local Security Authority Subsystem Service (LSASS) in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, and Windows 7 SP1 allows remote attackers to cause a denial of service (reboot) via a crafted authentication request, aka "Local Security Authority Subsystem Service Denial of Service Vulnerability."
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_server_2008 | — | — |
| msrc | windows_7_for_32-bit_systems_service_pack_1 | — | — |
| msrc | windows_7_for_x64-based_systems_service_pack_1 | — | — |
| msrc | windows_server_2008_for_32-bit_systems_service_pack_2 | — | — |
| msrc | windows_server_2008_for_itanium-based_systems_service_pack_2 | — | — |
| msrc | windows_server_2008_for_x64-based_systems_service_pack_2 | — | — |
| msrc | windows_server_2008_r2_for_itanium-based_systems_service_pack_1 | — | — |
| msrc | windows_server_2008_r2_for_x64-based_systems_service_pack_1 | — | — |
| msrc | windows_vista_service_pack_2 | — | — |
| msrc | windows_vista_x64_edition_service_pack_2 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
port445
snort
alert tcp any any -> $HOME_NET 445 (msg:"ET DOS Microsoft Windows LSASS Remote Memory Corruption (CVE-2017-0004)"; flow:established,to_server; content:"|FF|SMB|73|"; offset:4; depth:5; byte_test:1,&,0x80,6,relative; byte_test:1,&,0x08,6,relative; byte_test:1,&,0x10,5,relative; byte_test:1,&,0x04,5,relative; byte_test:1,&,0x02,5,relative; byte_test:1,&,0x01,5,relative; content:"|ff 00|"; distance:28; within:2; content:"|84|"; distance:25; within:1; content:"NTLMSSP"; fast_pattern; within:64; reference:url,github.com/lgandx/PoC/tree/master/LSASS; reference:url,support.microsoft.com/en-us/kb/3216771; reference:url,support.microsoft.com/en-us/kb/3199173; reference:cve,2017-0004; reference:url,technet.microsoft.com/library/security/MS17-004; classtype:attempted-dos; sid:2023497; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_11, cve CVE_2017_0004, deployment Perimeter, deployment Datacenter, performance_impact Low, confidence Medium, signature_severity Major, updated_at 2019_07_26;)
bytes
|FF|SMB|73|
bytes
|ff 00|
bytes
|84|
bytes
NTLMSSP
- →Monitor TCP port 445 for inbound SMB sessions containing NTLMSSP authentication blobs with the specific byte pattern |FF|SMB|73| at offset 4 (SMB Session Setup AndX with NTLMSSP negotiate), combined with specific flag bytes and the |ff 00| and |84| markers — this matches the crafted authentication request used to crash LSASS.
- →The exploit can be triggered by an unauthenticated attacker — no credentials are required. Alert on unexpected LSASS crashes or sudden system reboots on Windows Vista/Server 2008/Windows 7 hosts receiving inbound SMB traffic. ↗
- →The vulnerability was publicly disclosed before the patch was available and a PoC was anticipated imminently — treat any unpatched exposure of SMB port 445 on affected OSes as high-priority. ↗
- ·The Snort/ET rule targets the Perimeter and Datacenter deployment zones; ensure $HOME_NET is correctly scoped to include Windows Vista/Server 2008/Windows 7 assets to avoid missed detections.
- ·Rule confidence is rated Medium — tune or validate in your environment before relying on it as a sole detection control.
CVSS provenance
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.07.8HIGHAV:N/AC:L/Au:N/C:N/I:N/A:C
vendor_redhat8.8HIGH
vendor_msrc6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-vh77-9c84-463g: The Local Security Authority Subsystem Service (LSASS) in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, and Windows 7 SP1 allows re
ghsa_unreviewed·2022-05-14
CVE-2017-0004 [HIGH] CWE-20 GHSA-vh77-9c84-463g: The Local Security Authority Subsystem Service (LSASS) in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, and Windows 7 SP1 allows re
The Local Security Authority Subsystem Service (LSASS) in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, and Windows 7 SP1 allows remote attackers to cause a denial of service (reboot) via a crafted authentication request, aka "Local Security Authority Subsystem Service Denial of Service Vulnerability."
Red Hat
ntp: Potential Overflows in ctl_put() functions
vendor_redhat·2017-03-21·CVSS 8.8
CVE-2017-6458 [HIGH] CWE-121 ntp: Potential Overflows in ctl_put() functions
ntp: Potential Overflows in ctl_put() functions
Multiple buffer overflows in the ctl_put* functions in NTP before 4.2.8p10 and 4.3.x before 4.3.94 allow remote authenticated users to have unspecified impact via a long variable.
A vulnerability was found in NTP, in the building of response packets with custom fields. If custom fields were configured in ntp.conf with particularly long names, inclusion of these fields in the response packet could cause a buffer overflow, leading to a crash.
Statement: The security assessment from cure53 clarifies that this issue (identified as NTP-01-0004) is not a vulnerability per se, but a weakness in ntp's internal coding style that may cause a vulnerability if particularly long variable names are defined at compile time. No such variable names are def
Microsoft
Local Security Authority Subsystem Service Denial of Service Vulnerability
vendor_msrc·2017-01-10·CVSS 6.5
CVE-2017-0004 [HIGH] Local Security Authority Subsystem Service Denial of Service Vulnerability
Local Security Authority Subsystem Service Denial of Service Vulnerability
Description: This security update corrects a denial of service in the Local Security Authority Subsystem Service (LSASS) caused when an unauthenticated attacker sends a specially crafted authentication request. A remote attacker who successfully exploited this vulnerability could cause a denial of service on the target system's LSASS service, which triggers an automatic reboot of the system.
The security update addresses the vulnerability by changing the way that LSASS handles specially crafted authentication requests.
Local Security Authority Subsystem Service: Local Security Authority Subsystem Service
Impact: Denial of Service
Exploit Status: Publicly Disclosed:Yes;Exploited:No;DOS:Permanent
Reference: https
Suricata
ET DOS Microsoft Windows LSASS Remote Memory Corruption (CVE-2017-0004)
suricata·2016-11-11·CVSS 7.5
CVE-2017-0004 [HIGH] ET DOS Microsoft Windows LSASS Remote Memory Corruption (CVE-2017-0004)
ET DOS Microsoft Windows LSASS Remote Memory Corruption (CVE-2017-0004)
Rule: alert tcp any any -> $HOME_NET 445 (msg:"ET DOS Microsoft Windows LSASS Remote Memory Corruption (CVE-2017-0004)"; flow:established,to_server; content:"|FF|SMB|73|"; offset:4; depth:5; byte_test:1,&,0x80,6,relative; byte_test:1,&,0x08,6,relative; byte_test:1,&,0x10,5,relative; byte_test:1,&,0x04,5,relative; byte_test:1,&,0x02,5,relative; byte_test:1,&,0x01,5,relative; content:"|ff 00|"; distance:28; within:2; content:"|84|"; distance:25; within:1; content:"NTLMSSP"; fast_pattern; within:64; reference:url,github.com/lgandx/PoC/tree/master/LSASS; reference:url,support.microsoft.com/en-us/kb/3216771; reference:url,support.microsoft.com/en-us/kb/3199173; reference:cve,2017-0004; reference:url,technet.microsoft.com/l
No public exploits indexed.
Qualys
Microsoft Starts 2017 with Record Low Security Updates | Qualys
blogs_qualys·2017-01-10·CVSS 8.8
[HIGH] Microsoft Starts 2017 with Record Low Security Updates | Qualys
Happy New Year! In the first Patch Tuesday of 2017 Microsoft fixed only 3 vulnerabilities which makes it one of the smallest patch months ever. Patches were released for Microsoft Office, the Edge browser and LSASS. It’s an unusually small patch update and will definitely make system administrators happy. It is worth noting that starting next month Microsoft will scrap the existing system where users get a document each month in favor of a new ‘single destination for security vulnerability information’ called the Security Updates Guide. The new security portal is driven by an online database, and instead of having to browse through an index of documents, users can sort, search, and filter the database to find details about a specific security bulletin and its associated updates.
In today’
Qualys
Microsoft Starts 2017 with Record Low Security Updates
blogs_qualys·2017-01-10·CVSS 8.8
[HIGH] Microsoft Starts 2017 with Record Low Security Updates
Happy New Year! In the first Patch Tuesday of 2017 Microsoft fixed only 3 vulnerabilities which makes it one of the smallest patch months ever. Patches were released for Microsoft Office, the Edge browser and LSASS. It’s an unusually small patch update and will definitely make system administrators happy. It is worth noting that starting next month Microsoft will scrap the existing system where users get a document each month in favor of a new ‘single destination for security vulnerability information’ called the Security Updates Guide . The new security portal is driven by an online database, and instead of having to browse through an index of documents, users can sort, search, and filter the database to find details about a specific security bulletin and its associated updates.
In today
Bugzilla
CVE-2017-12189 jboss: unsafe chown of server.log in jboss init script allows privilege escalation (Incomplete fix for CVE-2016-8656)
bugzilla·2017-10-09·CVSS 7.0
CVE-2017-12189 [HIGH] CVE-2017-12189 jboss: unsafe chown of server.log in jboss init script allows privilege escalation (Incomplete fix for CVE-2016-8656)
CVE-2017-12189 jboss: unsafe chown of server.log in jboss init script allows privilege escalation (Incomplete fix for CVE-2016-8656)
It was reported that the jbossas init script performed unsafe file handling, which could result in local privilege escalation.
Discussion:
This issue has been addressed in the following products:
Red Hat JBoss Enterprise Application Platform
Via RHSA-2018:0003 https://access.redhat.com/errata/RHSA-2018:0003
---
This issue has been addressed in the following products:
Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6
Via RHSA-2018:0002 https://access.redhat.com/errata/RHSA-2018:0002
---
This issue has been addressed in the following products:
Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7
Via RHSA-2018:0004 https://access.
Bugzilla
CVE-2017-2576 CVE-2017-2578 moodle: Multiple security issues
bugzilla·2017-01-20·CVSS 5.3
CVE-2017-2576 [MEDIUM] CVE-2017-2576 CVE-2017-2578 moodle: Multiple security issues
CVE-2017-2576 CVE-2017-2578 moodle: Multiple security issues
MSA-17-0002: Incorrect sanitation of attributes in forums - CVE-2017-2576
https://moodle.org/mod/forum/discuss.php?d=345912
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-56225
MSA-17-0004: XSS in assignment submission page - CVE-2017-2578
https://moodle.org/mod/forum/discuss.php?d=345915
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-57580
References:
https://moodle.org/news/#p1393111
Discussion:
Created moodle tracking bugs for this issue:
Affects: fedora-all [bug 1401064]
Affects: epel-all [bug 1401065]
http://www.securityfocus.com/bid/95318http://www.securitytracker.com/id/1037571https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-004http://www.securityfocus.com/bid/95318http://www.securitytracker.com/id/1037571https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-004
2017-01-10
Published