⚠ Actively exploited in ransomware campaigns
This vulnerability is on the CISA Known Exploited Vulnerabilities list and has been used in known ransomware attacks. CISA required action: Apply updates per vendor instructions.. Due date: 2022-04-27.

CVE-2017-0148Improper Input Validation in Corporation Windows SMB

CWE-20Improper Input Validation33 documents11 sources
Severity
8.8HIGHNVD
NVD8.1VulnCheck8.1CISA8.1
EPSS
94.1%
top 0.10%
CISA KEV
KEVRansomware
Added 2022-04-06
Due 2022-04-27
Exploit
Exploited in wild
Active exploitation observed
Affected products
21
Siemens Acuson Sc2000 FirmwareSiemens Syngo Sc2000 FirmwareMicrosoft Corporation Windows SMB+18 more
Timeline
PublishedMar 17
KEV addedApr 6
KEV dueApr 27
Latest updateMay 14
CISA Required Action: Apply updates per vendor instructions.

Description

The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka "Windows SMB Remote Code Execution Vulnerability." This vulnerability is different from those described in CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, and CVE-2017-0146.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9

Affected Packages21 packages

Patches

Patch: portal.msrc.microsoft.comPatch: portal.msrc.microsoft.com

🔴Vulnerability Details

6
GHSA
GHSA-fqgw-29m3-pwh5: The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 82022-05-14
GHSA
GHSA-3c3r-82gp-wc94: The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 82022-05-14
GHSA
GHSA-8w56-gqrj-2wfg: The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 82022-05-14
GHSA
GHSA-jxmr-j43h-4x9p: The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 82022-05-14
GHSA
GHSA-mfj7-24mx-p6qj: The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 82022-05-14

💥Exploits & PoCs

6
Exploit-DB
DOUBLEPULSAR - Payload Execution and Neutralization (Metasploit)2019-10-02
Exploit-DB
Microsoft Windows Server 2008 R2 (x64) - 'SrvOs2FeaToNt' SMB Remote Code Execution (MS17-010)2017-05-10
Exploit-DB
Microsoft Windows - SMB Remote Code Execution Scanner (MS17-010) (Metasploit)2017-04-17
Metasploit
MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
Metasploit
MS17-010 SMB RCE Detection

📋Vendor Advisories

2
CISA
Microsoft SMBv1 Server Remote Code Execution Vulnerability2022-04-06
Microsoft
Windows SMB Remote Code Execution Vulnerability2017-03-14

🕵️Threat Intelligence

12
Trendmicro
Cross Platform Modular Glupteba Malware Uses ManageX2020-09-29
Sentinelone
EternalBlue Exploit: What It Is And How It Works2019-05-27
Sentinelone
EternalBlue Exploit: What It Is And How It Works2019-05-27
Trendmicro
March 2017 Patch Tuesday: 18 Security Bulletins2017-03-15
Trendmicro
March 2017 Patch Tuesday: 18 Security Bulletins2017-03-15

📄Research Papers

1
arXiv
Evaluating the Performance of Twitter-based Exploit Detectors2020-11-05
CVE-2017-0148 — Improper Input Validation | cvebase