CVE-2017-0148
published 2017-03-17CVE-2017-0148: The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT…
PriorityP196high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-04-27
Exploited in the wild
EPSS
99.37%
99.9th percentile
The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka "Windows SMB Remote Code Execution Vulnerability." This vulnerability is different from those described in CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, and CVE-2017-0146.
Affected
31 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | server_message_block | — | — |
| microsoft_corporation | windows_smb | — | — |
| msrc | windows_10 | — | — |
| msrc | windows_10_version_1511 | — | — |
| msrc | windows_10_version_1607 | — | — |
| msrc | windows_7 | — | — |
| msrc | windows_8.1 | — | — |
| msrc | windows_rt_8.1 | — | — |
| msrc | windows_server_2008 | — | — |
| msrc | windows_server_2008_r2 | — | — |
| msrc | windows_server_2012 | — | — |
| msrc | windows_server_2012_r2 | — | — |
| msrc | windows_server_2016 | — | — |
| msrc | windows_vista_service_pack_2 | — | — |
| msrc | windows_vista_x64_edition_service_pack_2 | — | — |
| philips | intellispace_portal | — | — |
| philips | intellispace_portal | — | — |
| siemens | acuson_p300_firmware | — | — |
| siemens | acuson_p300_firmware | — | — |
| siemens | acuson_p300_firmware | — | — |
| siemens | acuson_p300_firmware | — | — |
| siemens | acuson_p500_firmware | — | — |
| siemens | acuson_p500_firmware | — | — |
| siemens | acuson_sc2000_firmware | — | — |
| siemens | acuson_sc2000_firmware | >= 4.0 < 4.0e | 4.0e |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect DoublePulsar payload delivery following EternalBlue exploitation; use Trend Micro Deep Security IPS Rules 1008327 and 1008328 for suspicious SMB sessions associated with DoublePulsar. ↗
- →Use Trend Micro Deep Security IPS Rules 1008224, 1008225, 1008227 for MS17-010 / Windows SMB remote code execution vulnerability coverage. ↗
- →Use Trend Micro Deep Discovery Inspector DDI Rule 2383 to detect CVE-2017-0144 SMB remote code execution requests. ↗
- →Use Trend Micro TippingPoint filters 27433, 27711, 27935, 27928 for MS17-010 SMB remote code execution coverage. ↗
- →Detect malicious Chrome extension installation via master_preferences file modification; look for the ManageX chrome AppID as an IOC in the master_preferences file. ↗
- →Alert on svchost.exe being spawned or injected by non-standard parent processes, as Glupteba uses it to disguise its downloader component after rootkit installation. ↗
- ·EternalBlue (CVE-2017-0148) targets SMBv1 exclusively; systems with SMBv1 disabled are not vulnerable. The exploit operates over port 445 and requires the target to have SMBv1 enabled. ↗
- ·DoublePulsar is commonly delivered as the post-exploitation payload after EternalBlue; detections should account for both the exploit and the backdoor implant as a combined attack chain. ↗
CVSS provenance
nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck8.1HIGH
cisa8.1HIGH
vendor_msrc8.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Microsoft SMBv1 Server Remote Code Execution Vulnerability
cisa·2022-04-06·CVSS 8.1
CVE-2017-0148 [HIGH] CWE-20 Microsoft SMBv1 Server Remote Code Execution Vulnerability
Vulnerability: Microsoft SMBv1 Server Remote Code Execution Vulnerability
Affected: Microsoft SMBv1 server
The SMBv1 server in Microsoft allows remote attackers to execute arbitrary code via crafted packets.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2017-0148
Remediation Due Date: 2022-04-27
Microsoft
Windows SMB Remote Code Execution Vulnerability
vendor_msrc·2017-03-14·CVSS 8.1
CVE-2017-0148 [HIGH] Windows SMB Remote Code Execution Vulnerability
Windows SMB Remote Code Execution Vulnerability
Description: A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.
To exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.
The security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.
Windows SMB Server: Windows SMB Server
Microsoft: Microsoft
Customer Action Required: Yes
Impact: Remote Code Execution
Exploit Status: Publicly Disclosed:No;Exploited:No;Latest Software Release:Exploitation More Likel
GHSA
GHSA-fqgw-29m3-pwh5: The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8
ghsa_unreviewed·2022-05-14·CVSS 8.8
CVE-2017-0143 [HIGH] CWE-20 GHSA-fqgw-29m3-pwh5: The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8
The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka "Windows SMB Remote Code Execution Vulnerability." This vulnerability is different from those described in CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, and CVE-2017-0148.
GHSA
GHSA-3c3r-82gp-wc94: The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8
ghsa_unreviewed·2022-05-14·CVSS 8.8
CVE-2017-0146 [HIGH] CWE-20 GHSA-3c3r-82gp-wc94: The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8
The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka "Windows SMB Remote Code Execution Vulnerability." This vulnerability is different from those described in CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, and CVE-2017-0148.
GHSA
GHSA-8w56-gqrj-2wfg: The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8
ghsa_unreviewed·2022-05-14·CVSS 8.8
CVE-2017-0144 [HIGH] CWE-20 GHSA-8w56-gqrj-2wfg: The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8
The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka "Windows SMB Remote Code Execution Vulnerability." This vulnerability is different from those described in CVE-2017-0143, CVE-2017-0145, CVE-2017-0146, and CVE-2017-0148.
GHSA
GHSA-jxmr-j43h-4x9p: The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8
ghsa_unreviewed·2022-05-14·CVSS 8.8
CVE-2017-0145 [HIGH] CWE-20 GHSA-jxmr-j43h-4x9p: The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8
The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka "Windows SMB Remote Code Execution Vulnerability." This vulnerability is different from those described in CVE-2017-0143, CVE-2017-0144, CVE-2017-0146, and CVE-2017-0148.
GHSA
GHSA-mfj7-24mx-p6qj: The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8
ghsa_unreviewed·2022-05-14·CVSS 8.8
CVE-2017-0148 [HIGH] CWE-20 GHSA-mfj7-24mx-p6qj: The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8
The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka "Windows SMB Remote Code Execution Vulnerability." This vulnerability is different from those described in CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, and CVE-2017-0146.
VulnCheck
Microsoft SMBv1 Server Remote Code Execution Vulnerability
vulncheck·2017·CVSS 8.1
CVE-2017-0148 [HIGH] CWE-20 Microsoft SMBv1 Server Remote Code Execution Vulnerability
Microsoft SMBv1 Server Remote Code Execution Vulnerability
The SMBv1 server in Microsoft allows remote attackers to execute arbitrary code via crafted packets.
Affected: Microsoft SMBv1
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://digital.nhs.uk/cyber-alerts/2017/cc-1353; https://www.f5.com/labs/articles/threat-intelligence/from-nsa-exploit-to-widespread-ransomware-wannacry-is-on-the-loose-26847; https://us-cert.cisa.gov/sites/default/files/FactSheets/NCCIC%20ICS_FactSheet_WannaCry_Ransomware_S508C.pdf; https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=a9c54f79-d780-437b-a7f5-a74960e299d5&CommunityKey=8af7f28f-02f1-4107-8639-93a60b6546d4
No detection rules found.
Exploit-DB
DOUBLEPULSAR - Payload Execution and Neutralization (Metasploit)
exploitdb·2019-10-02
CVE-2017-0148 DOUBLEPULSAR - Payload Execution and Neutralization (Metasploit)
DOUBLEPULSAR - Payload Execution and Neutralization (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'DOUBLEPULSAR Payload Execution and Neutralization',
'Description' => %q{
This module executes a Metasploit payload against the Equation Group's
DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.
While this module primarily performs code execution against the implant,
the "Neutralize implant" target allows you to disable the implant.
},
'Author' => [
'Equation Group', # DOUBLEPULSAR implant
'Shadow Brokers', # Equation Group dump
'zerosum0x0', # DOPU analysis and detection
'Luke Jennings', # DOPU analysis and detection
'wvu', # Metasploit modul
Exploit-DB
Microsoft Windows Server 2008 R2 (x64) - 'SrvOs2FeaToNt' SMB Remote Code Execution (MS17-010)
exploitdb·2017-05-10
CVE-2017-0148 Microsoft Windows Server 2008 R2 (x64) - 'SrvOs2FeaToNt' SMB Remote Code Execution (MS17-010)
Microsoft Windows Server 2008 R2 (x64) - 'SrvOs2FeaToNt' SMB Remote Code Execution (MS17-010)
---
# Exploit Author: Juan Sacco at KPN Red Team - http://www.kpn.com
# Date and time of release: May, 9 2017 - 13:00PM
# Found this and more exploits on my open source security project: http://www.exploitpack.com
#
# MS17-010 - https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
# Tested on: Microsoft Windows Server 2008 x64 SP1 R2 Standard
#
# Description: SMBv1 SrvOs2FeaToNt OOB is prone to a remote code execution
# vulnerability because the application fails to perform adequate
# boundary-checks on user-supplied input. Srv.sys process SrvOs2FeaListSizeToNt
# and when the logic is not correct it leads to a cross-border copy. The vulnerability trigger point is as follows:
#
# Vu
Exploit-DB
Microsoft Windows - SMB Remote Code Execution Scanner (MS17-010) (Metasploit)
exploitdb·2017-04-17
CVE-2017-0147 Microsoft Windows - SMB Remote Code Execution Scanner (MS17-010) (Metasploit)
Microsoft Windows - SMB Remote Code Execution Scanner (MS17-010) (Metasploit)
---
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
# auxiliary/scanner/smb/smb_ms_17_010
require 'msf/core'
class MetasploitModule 'MS17-010 SMB RCE Detection',
'Description' => %q{
Uses information disclosure to determine if MS17-010 has been patched or not.
Specifically, it connects to the IPC$ tree and attempts a transaction on FID 0.
If the status returned is "STATUS_INSUFF_SERVER_RESOURCES", the machine does
not have the MS17-010 patch.
This module does not require valid SMB credentials in default server
configurations. It can log on as the user "\" and connect to IPC$.
},
'Author' => [ 'Sean Dillon ' ],
'Referenc
Metasploit
MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
metasploit
MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
This module is a port of the Equation Group ETERNALBLUE exploit, part of the FuzzBunch toolkit released by Shadow Brokers. There is a buffer overflow memmove operation in Srv!SrvOs2FeaToNt. The size is calculated in Srv!SrvOs2FeaListSizeToNt, with mathematical error where a DWORD is subtracted into a WORD. The kernel pool is groomed so that overflow is well laid-out to overwrite an SMBv1 buffer. Actual RIP hijack is later completed in srvnet!SrvNetWskReceiveComplete. This exploit, like the original may not trigger 100% of the time, and should be run continuously until triggered. It seems like the pool will get hot streaks and need a cool down period before the shells rain in again. The module will attempt to use Anonymous logi
Metasploit
MS17-010 SMB RCE Detection
metasploit
MS17-010 SMB RCE Detection
MS17-010 SMB RCE Detection
Uses information disclosure to determine if MS17-010 has been patched or not. Specifically, it connects to the IPC$ tree and attempts a transaction on FID 0. If the status returned is "STATUS_INSUFF_SERVER_RESOURCES", the machine does not have the MS17-010 patch. If the machine is missing the MS17-010 patch, the module will check for an existing DoublePulsar (ring 0 shellcode/malware) infection. This module does not require valid SMB credentials in default server configurations. It can log on as the user "\" and connect to IPC$.
Metasploit
SMB DOUBLEPULSAR Remote Code Execution
metasploit
SMB DOUBLEPULSAR Remote Code Execution
SMB DOUBLEPULSAR Remote Code Execution
This module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the "Neutralize implant" target allows you to disable the implant.
Trendmicro
Cross Platform Modular Glupteba Malware Uses ManageX
blogs_trendmicro·2020-09-29
Cross Platform Modular Glupteba Malware Uses ManageX
Malware
# Cross-Platform / Modular Glupteba Malware Uses ManageX
This entry features the analysis of a variant of Glupteba, emphasizing the modularity and the cross-platform features of the malware as seen through the examination of its code. Notable in this variant is the use of ManageX.
By: Juan Carlos David Paglinawan
2020/09/29
Read time: ( words)
Save to Folio
We recently encountered a variant of Glupteba (detected by Trend Micro as Trojan.Win32.GLUPTEBA.WLDR). Glupteba is a trojan type that has been involved with Operation Windigo in the past. We also reported its attacks on MikroTik routers and updates on its command and control (C&C) servers.
With regard to its behavior, the variant shares many similarities with other Glupteba variants. Notable in this newly uncovered strain
Sentinelone
EternalBlue Exploit: What It Is And How It Works
blogs_sentinelone·2019-05-27·CVSS 8.8
CVE-2017-0143 [HIGH] EternalBlue Exploit: What It Is And How It Works
You will undoubtedly recall the names Shadow Brokers, who back in 2017 were dumping software exploits widely believed to be stolen from the US National Security Agency, and WannaCry , the notorious ransomware attack that struck only a month later.
Eternalblue
## What is Eternalblue?
CVE-2017-0143 to CVE-2017-0148 are a family of critical vulnerabilities in Microsoft SMBv1 server used in Windows 7, Windows Server 2008, Windows XP and even Windows 10 running on port 445. Hardcoded strings in the original Eternalblue executable reveal the targeted Windows versions:

The vulnerability doesn’t just apply to Microsoft Windows, though; in fact, anything that uses the Microsoft SMBv1 server protocol, such as Siemens ultrasound medical equipment , is potentially vulnerable.
Eternalchampion
Sentinelone
EternalBlue Exploit: What It Is And How It Works
blogs_sentinelone·2019-05-27·CVSS 8.8
[HIGH] EternalBlue Exploit: What It Is And How It Works
You will undoubtedly recall the names Shadow Brokers, who back in 2017 were dumping software exploits widely believed to be stolen from the US National Security Agency, and WannaCry, the notorious ransomware attack that struck only a month later.
Two years is a long-time in cybersecurity, but `Eternalblue` (aka “EternalBlue”, “Eternal Blue”), the critical exploit leaked by the Shadow Brokers and deployed in the WannaCry and NotPetya attacks, is still making the headlines. Although a recent claim by the New York Times that Eternalblue was involved in the Baltimore attack seems wide of the mark, there’s no doubt that the exploit is set to be a potent weapon for many years to come. In this post, we explain why and take a closer look at Eternalblue.
## What is Eternalblue?
CVE-2017-0143 to
Checkpoint
BROKERS IN THE SHADOWS: Analyzing vulnerabilities and attacks spawned by the leaked NSA hacking tools
blogs_checkpoint·2017-05-25
CVE-2017-0144 BROKERS IN THE SHADOWS: Analyzing vulnerabilities and attacks spawned by the leaked NSA hacking tools
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
AI Research 2
Android Malware 23
Artificial Intelligence 4
ChatGPT 3
Check Point Research Publications 455
Cloud Security 1
CPRadio 44
Crypto 2
Data & Threat Intelligence 2
Data Analysis 0
Demos 22
Global Cyber Attack Reports 408
How To Guides 13
Ransomware 5
Russo-Ukrainian War 1
Security Report 1
Threat and data analysis 0
Threat Research 174
Web 3.0 Security 11
Wipers 0
## BROKERS IN THE SHADOWS: Analyzing vulnerabilities and attacks spawned by the leaked NSA hacking tools
Background
Rarely does the release of an exploit have such a large impact across the
Checkpoint
Global Outbreak of WannaCry
blogs_checkpoint·2017-05-12·CVSS 8.8
CVE-2017-0143 [HIGH] Global Outbreak of WannaCry
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
AI Research 2
Android Malware 23
Artificial Intelligence 4
ChatGPT 3
Check Point Research Publications 455
Cloud Security 1
CPRadio 44
Crypto 2
Data & Threat Intelligence 2
Data Analysis 0
Demos 22
Global Cyber Attack Reports 408
How To Guides 13
Ransomware 5
Russo-Ukrainian War 1
Security Report 1
Threat and data analysis 0
Threat Research 174
Web 3.0 Security 11
Wipers 0
## Global Outbreak of WannaCry
[Updated May 17, 2017]
On May 12, 2017 the Check Point Incident Response Team started tracking a wide spread outbreak of the WannaCryp ransomware . We have rep
Trendmicro
March 2017 Patch Tuesday: 18 Security Bulletins
blogs_trendmicro·2017-03-15·CVSS 7.8
CVE-2017-0016 [HIGH] March 2017 Patch Tuesday: 18 Security Bulletins
Exploits & Vulnerabilities
# March 2017 Patch Tuesday: 18 Security Bulletins
Patch Tuesday for March is hefty, with essentially two months’ worth of updates after Microsoft delayed its February patch release. Notable among the critical bulletins is MS17-012, which resolves several vulnerabilities including CVE-2017-0016.
By: Trend Micro
2017/03/15
Read time: ( words)
Save to Folio
Patch Tuesday for March is a hefty one, with essentially two months’ worth of updates after Microsoft quietly delayed its February patch release. Notable among the critical bulletins is MS17-012, which resolves several vulnerabilities including CVE-2017-0016, a zero-day vulnerability involving Windows Server Message Block (SMB). This vulnerability potentially allows cyber criminals to render affected system
Trendmicro
March 2017 Patch Tuesday: 18 Security Bulletins
blogs_trendmicro·2017-03-15·CVSS 7.8
CVE-2017-0016 [HIGH] March 2017 Patch Tuesday: 18 Security Bulletins
Ausnutzung von Schwachstellen
## March 2017 Patch Tuesday: 18 Security Bulletins
Patch Tuesday for March is hefty, with essentially two months’ worth of updates after Microsoft delayed its February patch release. Notable among the critical bulletins is MS17-012, which resolves several vulnerabilities including CVE-2017-0016.
By: Trend Micro Mar 15, 2017 Read time: ( words)
Save to Folio
Patch Tuesday for March is a hefty one, with essentially two months’ worth of updates after Microsoft quietly delayed its February patch release. Notable among the critical bulletins is MS17-012 , which resolves several vulnerabilities including CVE-2017-0016, a zero-day vulnerability involving Windows Server Message Block (SMB) . This vulnerability potentially allows cyber criminals to render affected
Trendmicro
March 2017 Patch Tuesday: 18 Security Bulletins
blogs_trendmicro·2017-03-15·CVSS 7.8
CVE-2017-0016 [HIGH] March 2017 Patch Tuesday: 18 Security Bulletins
Sfruttamento vulnerabilità
## March 2017 Patch Tuesday: 18 Security Bulletins
Patch Tuesday for March is hefty, with essentially two months’ worth of updates after Microsoft delayed its February patch release. Notable among the critical bulletins is MS17-012, which resolves several vulnerabilities including CVE-2017-0016.
By: Trend Micro Mar 15, 2017 Read time: ( words)
Save to Folio
Patch Tuesday for March is a hefty one, with essentially two months’ worth of updates after Microsoft quietly delayed its February patch release. Notable among the critical bulletins is MS17-012 , which resolves several vulnerabilities including CVE-2017-0016, a zero-day vulnerability involving Windows Server Message Block (SMB) . This vulnerability potentially allows cyber criminals to render affected sy
Trendmicro
March 2017 Patch Tuesday: 18 Security Bulletins
blogs_trendmicro·2017-03-15·CVSS 7.8
CVE-2017-0016 [HIGH] March 2017 Patch Tuesday: 18 Security Bulletins
Exploits y vulnerabilidades
## March 2017 Patch Tuesday: 18 Security Bulletins
Patch Tuesday for March is hefty, with essentially two months’ worth of updates after Microsoft delayed its February patch release. Notable among the critical bulletins is MS17-012, which resolves several vulnerabilities including CVE-2017-0016.
By: Trend Micro Mar 15, 2017 Read time: ( words)
Save to Folio
Patch Tuesday for March is a hefty one, with essentially two months’ worth of updates after Microsoft quietly delayed its February patch release. Notable among the critical bulletins is MS17-012 , which resolves several vulnerabilities including CVE-2017-0016, a zero-day vulnerability involving Windows Server Message Block (SMB) . This vulnerability potentially allows cyber criminals to render affected s
Trendmicro
March 2017 Patch Tuesday: 18 Security Bulletins
blogs_trendmicro·2017-03-15·CVSS 7.8
CVE-2017-0016 [HIGH] March 2017 Patch Tuesday: 18 Security Bulletins
Exploits & Vulnerabilities
## March 2017 Patch Tuesday: 18 Security Bulletins
Patch Tuesday for March is hefty, with essentially two months’ worth of updates after Microsoft delayed its February patch release. Notable among the critical bulletins is MS17-012, which resolves several vulnerabilities including CVE-2017-0016.
By: Trend Micro 2017/03/15 Read time: ( words)
Save to Folio
Patch Tuesday for March is a hefty one, with essentially two months’ worth of updates after Microsoft quietly delayed its February patch release. Notable among the critical bulletins is MS17-012 , which resolves several vulnerabilities including CVE-2017-0016, a zero-day vulnerability involving Windows Server Message Block (SMB) . This vulnerability potentially allows cyber criminals to render affected syst
Trendmicro
March 2017 Patch Tuesday: 18 Security Bulletins
blogs_trendmicro·2017-03-15·CVSS 7.8
CVE-2017-0016 [HIGH] March 2017 Patch Tuesday: 18 Security Bulletins
Exploits & Vulnerabilities
## March 2017 Patch Tuesday: 18 Security Bulletins
Patch Tuesday for March is hefty, with essentially two months’ worth of updates after Microsoft delayed its February patch release. Notable among the critical bulletins is MS17-012, which resolves several vulnerabilities including CVE-2017-0016.
By: Trend Micro Mar 15, 2017 Read time: ( words)
Save to Folio
Patch Tuesday for March is a hefty one, with essentially two months’ worth of updates after Microsoft quietly delayed its February patch release. Notable among the critical bulletins is MS17-012 , which resolves several vulnerabilities including CVE-2017-0016, a zero-day vulnerability involving Windows Server Message Block (SMB) . This vulnerability potentially allows cyber criminals to render affected sy
Recorded Future
What Is WannaCry? Analyzing the Global Ransomware Attack
blogs_recorded_future
What Is WannaCry? Analyzing the Global Ransomware Attack
# What Is WannaCry? Analyzing the Global Ransomware Attack
### Key Takeaways
- WannaCry ransomware is a new variant of WanaCypt0r, which uses the ETERNALBLUE SMBv1 exploit to infect connected systems.
- Over 100 countries were affected by the ransomware.
- Three Bitcoin wallets are associated with the WannaCry 2.0 ransomware, which have received almost $26,000 in transfers since the beginning of the latest infection, a small sum considering the scope of damage.
- As of this posting, no money appears to have been moved from the Bitcoin wallets.
- Criminals behind WannaCry piggybacked on publicly dumped Equation Group exploits in an attempt to abuse free tools for easy money.
- We believe the criminals behind WannaCry didn’t intend for such a widespread attack, nor did they possess the exp
Recorded Future
What Is WannaCry? Analyzing the Global Ransomware Attack | Recorded Future
blogs_recorded_future
What Is WannaCry? Analyzing the Global Ransomware Attack | Recorded Future
## What Is WannaCry? Analyzing the Global Ransomware Attack
## Key Takeaways
WannaCry ransomware is a new variant of WanaCypt0r, which uses the ETERNALBLUE SMBv1 exploit to infect connected systems.
Over 100 countries were affected by the ransomware .
Three Bitcoin wallets are associated with the WannaCry 2.0 ransomware, which have received almost $26,000 in transfers since the beginning of the latest infection, a small sum considering the scope of damage.
As of this posting, no money appears to have been moved from the Bitcoin wallets.
Criminals behind WannaCry piggybacked on publicly dumped Equation Group exploits in an attempt to abuse free tools for easy money.
We believe the criminals behind WannaCry didn’t intend for such a widespread attack, nor did they possess the expertise
Recorded Future
Chinese and Russian Communities Analyze Shadow Brokers Malware Release
blogs_recorded_future·CVSS 8.8
[HIGH] Chinese and Russian Communities Analyze Shadow Brokers Malware Release
# Chinese and Russian Cyber Communities Dig Into Malware From April Shadow Brokers Release
As of April 15, the Chinese cyber community had begun to investigate the most recent release of malware from the Shadow Brokers group. Security researchers and cyber actors reversed several of the tools and were particularly interested in the exploit framework (named FUZZBUNCH), the SMB malware (ETERNALBLUE), and the privilege escalation tool (ETERNALROMANCE).
Chinese-speaking actors additionally focused on the unique malware trigger point and some claimed that the patches for CVE-2017-0143 through -0148 were insufficient because they did not address the base code weaknesses.
Mentions of one of the tools, ETERNALBLUE, on the Chinese language web over time.
Mentions of Shadow Brokers-released malw
arXiv
Evaluating the Performance of Twitter-based Exploit Detectors
arxiv_fulltext·2020-11-05
Evaluating the Performance of Twitter-based Exploit Detectors
Graygray0.9
g>Grayr
G>Grayc
## Abstract
Patch prioritization is a crucial aspect of information systems security, and knowledge of which vulnerabilities were exploited in the wild is a powerful tool to help systems administrators accomplish this task. The analysis of social media for this specific application can enhance the results and bring more agility by collecting data from online discussions and applying machine learning techniques to detect real-world exploits. In this paper, we use a technique that combines Twitter data with public database information to classify vulnerabilities as exploited or not-exploited. We analyze the behavior of different classifying algorithms, investigate the influence of different antivirus data as ground truth, and experiment with various time window
http://packetstormsecurity.com/files/154690/DOUBLEPULSAR-Payload-Execution-Neutralization.htmlhttp://packetstormsecurity.com/files/156196/SMB-DOUBLEPULSAR-Remote-Code-Execution.htmlhttp://www.securityfocus.com/bid/96706http://www.securitytracker.com/id/1037991https://cert-portal.siemens.com/productcert/pdf/ssa-701903.pdfhttps://cert-portal.siemens.com/productcert/pdf/ssa-966341.pdfhttps://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0148https://www.exploit-db.com/exploits/41891/https://www.exploit-db.com/exploits/41987/http://packetstormsecurity.com/files/154690/DOUBLEPULSAR-Payload-Execution-Neutralization.htmlhttp://packetstormsecurity.com/files/156196/SMB-DOUBLEPULSAR-Remote-Code-Execution.htmlhttp://www.securityfocus.com/bid/96706http://www.securitytracker.com/id/1037991https://cert-portal.siemens.com/productcert/pdf/ssa-701903.pdfhttps://cert-portal.siemens.com/productcert/pdf/ssa-966341.pdfhttps://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0148https://www.exploit-db.com/exploits/41891/https://www.exploit-db.com/exploits/41987/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-0148
2017-03-17
Published
2022-04-06
Added to CISA KEV
Exploited in the wild