cbcvebase.
CVE-2017-0143
published 2017-03-17

CVE-2017-0143: The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT…

PriorityP198high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
93.31%
99.8th percentile
The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka "Windows SMB Remote Code Execution Vulnerability." This vulnerability is different from those described in CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, and CVE-2017-0148.

Affected

31 ranges· showing 25
VendorProductVersion rangeFixed in
microsoftserver_message_block
microsoft_corporationwindows_smb
msrcwindows_10
msrcwindows_10_version_1511
msrcwindows_10_version_1607
msrcwindows_7
msrcwindows_8.1
msrcwindows_rt_8.1
msrcwindows_server_2008
msrcwindows_server_2008_r2
msrcwindows_server_2012
msrcwindows_server_2012_r2
msrcwindows_server_2016
msrcwindows_vista_service_pack_2
msrcwindows_vista_x64_edition_service_pack_2
philipsintellispace_portal
philipsintellispace_portal
siemensacuson_p300_firmware
siemensacuson_p300_firmware
siemensacuson_p300_firmware
siemensacuson_p300_firmware
siemensacuson_p500_firmware
siemensacuson_p500_firmware
siemensacuson_sc2000_firmware
siemensacuson_sc2000_firmware>= 4.0 < 4.0e4.0e

Detection & IOCsextracted from sources · hover to see the quote

port445
snort
42329-42332, 42340, 41978, 42256
  • Monitor network traffic for excessive SMB requests to TCP port 445; anomalous processes initiating SMB connections are a key behavioral indicator of CVE-2017-0143 exploitation via ETERNALBLUE.
  • Network-based detection (NGIPS/NGFW) is effective against ETERNALBLUE/DOUBLEPULSAR exploitation regardless of final payload, as the exploit and delivery mechanism are consistent across campaigns.
  • EternalRocks introduces a 24-hour sleep/delay before downloading its final payload; sandbox detections with short timeouts will miss this malware — extend sandbox dwell time beyond 24 hours.
  • Look for manually crafted SMB packets with hardcoded, seemingly arbitrary field values (e.g., hardcoded UIDs in a specific numeric range) in network traffic, which is a fingerprint of the APT3 Bemstour/UPSynergy tool.
  • Detect SMB packets that are constructed over plain TCP sockets rather than via standard SMB libraries — a characteristic of the APT3 Bemstour tool exploiting the EternalRomance/UPSynergy variant of this vulnerability.
  • NGIPS/NGFW coverage for ETERNALBLUE/DOUBLEPULSAR exploitation of CVE-2017-0143 was available from mid-March 2017; ensure signatures are not older than that baseline.
  • ·Chinese actors claimed that the MS17-010 patches for CVE-2017-0143 through -0148 were insufficient because they did not address the underlying base code weaknesses — patching alone may not fully eliminate risk.
  • ·APT3's UPSynergy exploit variant targets a broader range of Windows versions than the original EternalRomance by incorporating an additional 0-day kernel information leak, meaning standard EternalRomance detections may not cover this variant.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck8.8HIGH
cisa8.8HIGH
vendor_msrc8.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.