cbcvebase.
CVE-2017-0147
published 2017-03-17

CVE-2017-0147: The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT…

PriorityP190high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-06-14
Exploited in the wild
EPSS
99.69%
99.9th percentile
The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to obtain sensitive information from process memory via a crafted packets, aka "Windows SMB Information Disclosure Vulnerability."

Affected

28 ranges· showing 25
VendorProductVersion rangeFixed in
microsoftwindows_server_2008
microsoftwindows_server_2012
microsoft_corporationwindows_smb
msrcwindows_10
msrcwindows_10_version_1511
msrcwindows_10_version_1607
msrcwindows_7
msrcwindows_8.1
msrcwindows_rt_8.1
msrcwindows_server_2008
msrcwindows_server_2008_r2
msrcwindows_server_2012
msrcwindows_server_2012_r2
msrcwindows_server_2016
msrcwindows_vista_service_pack_2
msrcwindows_vista_x64_edition_service_pack_2
siemensacuson_p300_firmware
siemensacuson_p300_firmware
siemensacuson_p300_firmware
siemensacuson_p300_firmware
siemensacuson_p500_firmware
siemensacuson_p500_firmware
siemensacuson_sc2000_firmware
siemensacuson_sc2000_firmware>= 4.0 < 4.0e4.0e
siemensacuson_x700_firmware

Detection & IOCsextracted from sources · hover to see the quote

domain1dnscontrol[.]com
urlhxxp://1dnscontrol[.]com/flash_install.php
hashfbbdc39af1139aebba4da004475e8839
hash1d724f95c61f1055f0d02c2154bbccd3
hashb14d8faf7f0cbcfad051cefe5f39645f
filenameinstall_flash_player.exe
pathC:\Windows\infpub.dat
pathC:\Windows\dispci.exe
port445
mutexinternationalCyberWarefare
mutexinternationalCyberWarefareV3
bytes
XOR key: 24db007a
  • Detect Petya/NotPetya lateral movement via SMB: look for TRANS2 SESSION_SETUP request packets carrying the Petya DLL payload in 4096-byte chunks, XOR-encoded with key 0x24db007a
  • Detect Bad Rabbit dropper execution: monitor for rundll32 loading infpub.dat from C:\Windows and creation of dispci.exe in C:\Windows
  • Block or alert on execution of c:\windows\infpub.dat and C:\Windows\cscc.dat as recommended by Kaspersky
  • CVE-2017-0147 (EternalChampion/EternalRomance SMBv1 info-disclosure) accounted for 26.7% of all exploitation attempts in 2H 2024 — prioritize detection of SMBv1 exploitation attempts on legacy Windows systems
  • Necro Python bot includes EternalRomance (CVE-2017-0147) exploit; detect Python-based SMB exploitation attempts and monitor for pyinstaller-generated PE files performing SMB scanning on port 445
  • Detect credential-stealing DLL dropped to %TEMP% and executed via rundll32 in Petya/NotPetya attacks; the tool resembles Mimikatz
  • Detect PsExec usage for remote execution of Petya payload after credential theft via SMB exploitation of CVE-2017-0147
  • ·Bad Rabbit uses EternalRomance (CVE-2017-0147) only for lateral movement within corporate networks after initial drive-by infection — the initial vector does NOT use this exploit

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:P/I:N/A:N
vulncheck7.5HIGH
cisa7.5HIGH
vendor_msrc8.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.