cbcvebase.
CVE-2017-0148
published 2017-03-17

CVE-2017-0148: The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT…

PriorityP196high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-04-27
Exploited in the wild
EPSS
99.37%
99.9th percentile
The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka "Windows SMB Remote Code Execution Vulnerability." This vulnerability is different from those described in CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, and CVE-2017-0146.

Affected

31 ranges· showing 25
VendorProductVersion rangeFixed in
microsoftserver_message_block
microsoft_corporationwindows_smb
msrcwindows_10
msrcwindows_10_version_1511
msrcwindows_10_version_1607
msrcwindows_7
msrcwindows_8.1
msrcwindows_rt_8.1
msrcwindows_server_2008
msrcwindows_server_2008_r2
msrcwindows_server_2012
msrcwindows_server_2012_r2
msrcwindows_server_2016
msrcwindows_vista_service_pack_2
msrcwindows_vista_x64_edition_service_pack_2
philipsintellispace_portal
philipsintellispace_portal
siemensacuson_p300_firmware
siemensacuson_p300_firmware
siemensacuson_p300_firmware
siemensacuson_p300_firmware
siemensacuson_p500_firmware
siemensacuson_p500_firmware
siemensacuson_sc2000_firmware
siemensacuson_sc2000_firmware>= 4.0 < 4.0e4.0e

Detection & IOCsextracted from sources · hover to see the quote

port445
urlhxxp://fffffk[.]xyz/down/m_inc[.]js?1589344811463
urlhxxp://info[.]d3pk[.]com/js_json
domainfffffk[.]xyz
domaininfo[.]d3pk[.]com
filenamewcrx.exe
filenamem_inc.js
  • Detect DoublePulsar payload delivery following EternalBlue exploitation; use Trend Micro Deep Security IPS Rules 1008327 and 1008328 for suspicious SMB sessions associated with DoublePulsar.
  • Use Trend Micro Deep Security IPS Rules 1008224, 1008225, 1008227 for MS17-010 / Windows SMB remote code execution vulnerability coverage.
  • Use Trend Micro Deep Discovery Inspector DDI Rule 2383 to detect CVE-2017-0144 SMB remote code execution requests.
  • Use Trend Micro TippingPoint filters 27433, 27711, 27935, 27928 for MS17-010 SMB remote code execution coverage.
  • Detect malicious Chrome extension installation via master_preferences file modification; look for the ManageX chrome AppID as an IOC in the master_preferences file.
  • Alert on svchost.exe being spawned or injected by non-standard parent processes, as Glupteba uses it to disguise its downloader component after rootkit installation.
  • ·EternalBlue (CVE-2017-0148) targets SMBv1 exclusively; systems with SMBv1 disabled are not vulnerable. The exploit operates over port 445 and requires the target to have SMBv1 enabled.
  • ·DoublePulsar is commonly delivered as the post-exploitation payload after EternalBlue; detections should account for both the exploit and the backdoor implant as a combined attack chain.

CVSS provenance

nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck8.1HIGH
cisa8.1HIGH
vendor_msrc8.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.