cbcvebase.
CVE-2017-0004
published 2017-01-10

CVE-2017-0004: The Local Security Authority Subsystem Service (LSASS) in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, and Windows 7 SP1 allows remote…

PriorityP353high7.5CVSS 3.0
AVNACLPRNUINSUCNINAH
EPSS
89.57%
99.8th percentile
The Local Security Authority Subsystem Service (LSASS) in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, and Windows 7 SP1 allows remote attackers to cause a denial of service (reboot) via a crafted authentication request, aka "Local Security Authority Subsystem Service Denial of Service Vulnerability."

Affected

10 ranges
VendorProductVersion rangeFixed in
microsoftwindows_server_2008
msrcwindows_7_for_32-bit_systems_service_pack_1
msrcwindows_7_for_x64-based_systems_service_pack_1
msrcwindows_server_2008_for_32-bit_systems_service_pack_2
msrcwindows_server_2008_for_itanium-based_systems_service_pack_2
msrcwindows_server_2008_for_x64-based_systems_service_pack_2
msrcwindows_server_2008_r2_for_itanium-based_systems_service_pack_1
msrcwindows_server_2008_r2_for_x64-based_systems_service_pack_1
msrcwindows_vista_service_pack_2
msrcwindows_vista_x64_edition_service_pack_2

Detection & IOCsextracted from sources · hover to see the quote

port445
snort
alert tcp any any -> $HOME_NET 445 (msg:"ET DOS Microsoft Windows LSASS Remote Memory Corruption (CVE-2017-0004)"; flow:established,to_server; content:"|FF|SMB|73|"; offset:4; depth:5; byte_test:1,&,0x80,6,relative; byte_test:1,&,0x08,6,relative; byte_test:1,&,0x10,5,relative; byte_test:1,&,0x04,5,relative; byte_test:1,&,0x02,5,relative; byte_test:1,&,0x01,5,relative; content:"|ff 00|"; distance:28; within:2; content:"|84|"; distance:25; within:1; content:"NTLMSSP"; fast_pattern; within:64; reference:url,github.com/lgandx/PoC/tree/master/LSASS; reference:url,support.microsoft.com/en-us/kb/3216771; reference:url,support.microsoft.com/en-us/kb/3199173; reference:cve,2017-0004; reference:url,technet.microsoft.com/library/security/MS17-004; classtype:attempted-dos; sid:2023497; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_11, cve CVE_2017_0004, deployment Perimeter, deployment Datacenter, performance_impact Low, confidence Medium, signature_severity Major, updated_at 2019_07_26;)
bytes
|FF|SMB|73|
bytes
|ff 00|
bytes
|84|
bytes
NTLMSSP
  • Monitor TCP port 445 for inbound SMB sessions containing NTLMSSP authentication blobs with the specific byte pattern |FF|SMB|73| at offset 4 (SMB Session Setup AndX with NTLMSSP negotiate), combined with specific flag bytes and the |ff 00| and |84| markers — this matches the crafted authentication request used to crash LSASS.
  • The exploit can be triggered by an unauthenticated attacker — no credentials are required. Alert on unexpected LSASS crashes or sudden system reboots on Windows Vista/Server 2008/Windows 7 hosts receiving inbound SMB traffic.
  • The vulnerability was publicly disclosed before the patch was available and a PoC was anticipated imminently — treat any unpatched exposure of SMB port 445 on affected OSes as high-priority.
  • ·The Snort/ET rule targets the Perimeter and Datacenter deployment zones; ensure $HOME_NET is correctly scoped to include Windows Vista/Server 2008/Windows 7 assets to avoid missed detections.
  • ·Rule confidence is rated Medium — tune or validate in your environment before relying on it as a sole detection control.

CVSS provenance

nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.07.8HIGHAV:N/AC:L/Au:N/C:N/I:N/A:C
vendor_redhat8.8HIGH
vendor_msrc6.5MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.