⚠ Actively exploited in ransomware campaigns
This vulnerability is on the CISA Known Exploited Vulnerabilities list and has been used in known ransomware attacks. CISA required action: Apply updates per vendor instructions.. Due date: 2022-04-15.

CVE-2017-0146Improper Input Validation in Corporation Windows SMB

CWE-20Improper Input Validation38 documents13 sources
Severity
8.8HIGHNVD
NVD8.1
EPSS
93.3%
top 0.19%
CISA KEV
KEVRansomware
Added 2022-03-25
Due 2022-04-15
Exploit
Exploited in wild
Active exploitation observed
Affected products
21
Siemens Acuson Sc2000 FirmwareSiemens Syngo Sc2000 FirmwareMicrosoft Corporation Windows SMB+18 more
Timeline
PublishedMar 17
KEV addedMar 25
KEV dueApr 15
Latest updateMay 14
CISA Required Action: Apply updates per vendor instructions.

Description

The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka "Windows SMB Remote Code Execution Vulnerability." This vulnerability is different from those described in CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, and CVE-2017-0148.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages21 packages

Patches

Patch: portal.msrc.microsoft.comPatch: portal.msrc.microsoft.com

🔴Vulnerability Details

6
GHSA
GHSA-fqgw-29m3-pwh5: The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 82022-05-14
GHSA
GHSA-3c3r-82gp-wc94: The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 82022-05-14
GHSA
GHSA-8w56-gqrj-2wfg: The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 82022-05-14
GHSA
GHSA-jxmr-j43h-4x9p: The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 82022-05-14
GHSA
GHSA-mfj7-24mx-p6qj: The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 82022-05-14

💥Exploits & PoCs

9
Exploit-DB
DOUBLEPULSAR - Payload Execution and Neutralization (Metasploit)2019-10-02
Exploit-DB
Microsoft Windows - 'EternalRomance'/'EternalSynergy'/'EternalChampion' SMB Remote Code Execution (Metasploit) (MS17-010)2018-02-05
Exploit-DB
Microsoft Windows Server 2008 R2 (x64) - 'SrvOs2FeaToNt' SMB Remote Code Execution (MS17-010)2017-05-10
Exploit-DB
Microsoft Windows - SMB Remote Code Execution Scanner (MS17-010) (Metasploit)2017-04-17
Metasploit
MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption

📋Vendor Advisories

2
CISA
Microsoft Windows SMB Remote Code Execution Vulnerability2022-03-25
Microsoft
Windows SMB Remote Code Execution Vulnerability2017-03-14

🕵️Threat Intelligence

14
Trendmicro
BlackSquid Infects Servers and Drives, 8 Exploits Used2019-06-03
Trendmicro
BlackSquid Infects Servers and Drives, 8 Exploits Used2019-06-03
Sentinelone
SentinelOne Detects Shadow Broker Binaries with Static AI2017-04-21
Sentinelone
SentinelOne Detects Shadow Broker Binaries with Static AI2017-04-21
Qualys
The Shadow Brokers Release Zero Day Exploit Tools | Qualys2017-04-15

📄Research Papers

2
arXiv
Evaluating the Performance of Twitter-based Exploit Detectors2020-11-05
CTF
17. Using the Metasploit-Framework / Using the Metasploit-Framework
CVE-2017-0146 — Improper Input Validation | cvebase