cbcvebase.
CVE-2017-0145
published 2017-03-17

CVE-2017-0145: The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT…

PriorityP198high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-08-10
Exploited in the wild
EPSS
89.85%
99.8th percentile
The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka "Windows SMB Remote Code Execution Vulnerability." This vulnerability is different from those described in CVE-2017-0143, CVE-2017-0144, CVE-2017-0146, and CVE-2017-0148.

Affected

31 ranges· showing 25
VendorProductVersion rangeFixed in
microsoftserver_message_block
microsoft_corporationwindows_smb
msrcwindows_10
msrcwindows_10_version_1511
msrcwindows_10_version_1607
msrcwindows_7
msrcwindows_8.1
msrcwindows_rt_8.1
msrcwindows_server_2008
msrcwindows_server_2008_r2
msrcwindows_server_2012
msrcwindows_server_2012_r2
msrcwindows_server_2016
msrcwindows_vista_service_pack_2
msrcwindows_vista_x64_edition_service_pack_2
philipsintellispace_portal
philipsintellispace_portal
siemensacuson_p300_firmware
siemensacuson_p300_firmware
siemensacuson_p300_firmware
siemensacuson_p300_firmware
siemensacuson_p500_firmware
siemensacuson_p500_firmware
siemensacuson_sc2000_firmware
siemensacuson_sc2000_firmware>= 4.0 < 4.0e4.0e

Detection & IOCsextracted from sources · hover to see the quote

ip212.83.190.122
urlhxxp://212.83.190.122/server/controller.zip
urlhxxp://212.83.190.122/server/agent.vbs
filenamecontroller.zip
filenameagent.vbs
filenameshcm.exe
filenamermsg.exe
filenamesvcm.exe
filenamehelp.bat
port3389
ip197.159.142.174
urlhxxp://197.159.142.174/server/agent.vbs
ip51.38.234.138
urlhxxp://51.38.234.138/security-updates/updates/update.exe
filenameWinSmb.exe
filenameworker.exe
snort
MS.SMB.Server.SMB1.WriteAndx.Trans2.Secondary.Code.Execution
snort
MS.SMB.Server.SMB1.Trans2.Secondary.Handling.Code.Execution
  • CVE-2017-0145 is exploited by the ETERNALROMANCE exploit targeting SMBv1; detect exploitation via the Fortinet IDS signature MS.SMB.Server.SMB1.WriteAndx.Trans2.Secondary.Code.Execution
  • PyRoMine stops the Windows Update Service and disables security services — monitor for net stop / sc disable commands targeting Windows Update and security services in conjunction with SMB exploitation
  • Fortinet AV detections for PyRoMine samples: Python/MS17_010.B!tr, Riskware/CoinMiner, VBS/Miner.PY!tr, VBS/Runner.NFO!tr
  • ·ETERNALROMANCE (CVE-2017-0145) requires authentication to exploit, but even a Guest account grants SYSTEM privileges — anonymous login is also attempted
  • ·The exploit targets SMBv1, which is a legacy protocol; many organizations had SMBv1 exposed to the internet, significantly widening the attack surface
  • ·PyRoMine configures Windows Remote Management to allow basic authentication and unencrypted data transfer, leaving the machine open to further attacks beyond the initial infection

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck8.8HIGH
cisa8.8HIGH
vendor_msrc8.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.