CVE-2017-8461
published 2017-06-15CVE-2017-8461: Windows RPC with Routing and Remote Access enabled in Windows XP and Windows Server 2003 allows an attacker to execute code on a targeted RPC server which has…
PriorityP261high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
EXPLOIT
EPSS
21.11%
97.3th percentile
Windows RPC with Routing and Remote Access enabled in Windows XP and Windows Server 2003 allows an attacker to execute code on a targeted RPC server which has Routing and Remote Access enabled via a specially crafted application, aka "Windows RPC Remote Code Execution Vulnerability."
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft_corporation | microsoft_windows | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for unauthenticated DCERPC calls over SMBv1 named pipes targeting the RRAS service (MIBEntryGet operation) on Windows Server 2003 / Windows XP hosts with Routing and Remote Access enabled. ↗
- →Alert on unexpected crashes or restarts of svchost.exe on systems with RRAS enabled, as a failed exploit attempt against this vulnerability can cause other system services hosted in svchost.exe to fail. ↗
- →Detect exploitation attempts targeting the MIBEntryGet overflow in the Windows RRAS service; the Metasploit module is named 'smb_rras_erraticgopher', which may appear in attacker tooling or logs. ↗
- ·The exploit is only viable when the Routing and Remote Access Service (RRAS) is enabled on the target. Disabling RRAS eliminates the attack surface. ↗
- ·The Metasploit module targets Windows Server 2003 only (SP0, SP1, SP2, R2 SP2 x86), even though Windows XP is also listed as vulnerable in the CVE description. ↗
- ·Exploitation requires SMBv1 to be accessible; blocking or disabling SMBv1 prevents unauthenticated access to the RRAS DCERPC endpoint via the browser named pipe. ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.9MEDIUMAV:L/AC:M/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Qualys
Microsoft Fixes 94 Security Issues in Massive June Update | Qualys
blogs_qualys·2017-06-13·CVSS 8.1
[HIGH] Microsoft Fixes 94 Security Issues in Massive June Update | Qualys
Today Microsoft released patches to fix 94 vulnerabilities out of which 27 fix remote code execution issues which can allow an attackers to remotely take control of victim machines. This is a massive update and fixes more than double the number of vulnerabilities as compared to the last two months.
Microsoft also released Security Advisory 4025685 which includes patches for older platforms due to heightened risk of exploitation. In my opinion this should be treated as a blue-print for future attacks and updates for EOL operating systems should be applied as soon as possible. Older platforms include Windows XP, Windows Server 2003, Vista and Windows 8 and older issues like MS08-067, MS09-050, MS10-061, MS14-068, MS17-010, MS17-013 are patched. Newer issues affecting older platforms like CV
Qualys
Microsoft Fixes 94 Security Issues in Massive June Update
blogs_qualys·2017-06-13·CVSS 8.1
[HIGH] Microsoft Fixes 94 Security Issues in Massive June Update
Today Microsoft released patches to fix 94 vulnerabilities out of which 27 fix remote code execution issues which can allow an attackers to remotely take control of victim machines. This is a massive update and fixes more than double the number of vulnerabilities as compared to the last two months.
Microsoft also released Security Advisory 4025685 which includes patches for older platforms due to heightened risk of exploitation. In my opinion this should be treated as a blue-print for future attacks and updates for EOL operating systems should be applied as soon as possible. Older platforms include Windows XP, Windows Server 2003, Vista and Windows 8 and older issues like MS08-067, MS09-050, MS10-061, MS14-068, MS17-010, MS17-013 are patched. Newer issues affecting older platforms like CV
http://packetstormsecurity.com/files/161672/Microsoft-Windows-RRAS-Service-MIBEntryGet-Overflow.htmlhttp://www.securityfocus.com/bid/99012http://www.securitytracker.com/id/1038701https://support.microsoft.com/en-us/help/4024323/security-update-of-windows-xp-and-windows-server-2003http://packetstormsecurity.com/files/161672/Microsoft-Windows-RRAS-Service-MIBEntryGet-Overflow.htmlhttp://www.securityfocus.com/bid/99012http://www.securitytracker.com/id/1038701https://support.microsoft.com/en-us/help/4024323/security-update-of-windows-xp-and-windows-server-2003
2017-06-15
Published