CVE-2019-0630
published 2019-03-05CVE-2019-0630: A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 2.0 (SMBv2) server handles certain requests, aka 'Windows SMB…
PriorityP180high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
17.84%
96.8th percentile
A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 2.0 (SMBv2) server handles certain requests, aka 'Windows SMB Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-0633.
Affected
53 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_server | — | — |
| microsoft | windows_server | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2019-0630 targets SMBv2: detect specially crafted SMBv2 packets from authenticated attackers to SMBv2 servers; monitor for anomalous SMBv2 request patterns. ↗
- →CVE-2019-0630 is exploited in the wild by TrickBot (alongside CVE-2019-0633) for SMB-based lateral movement; correlate SMBv2 exploitation attempts with TrickBot/Emotet infection chains. ↗
- →Emotet (which delivers TrickBot exploiting CVE-2019-0630) uses rundll32 to execute randomly named DLLs with .byk extension from random-named subdirectories under syswow64 or appdata\local; alert on rundll32 loading DLLs with unusual extensions from these paths. ↗
- →TrickBot injects into svchost.exe via process hollowing after spawning it from a scheduled task named 'Malware'; monitor for svchost.exe spawned by unexpected parent processes or scheduled tasks with suspicious names. ↗
- →Emotet C2 communication structure includes BotID, FilenameHash, BotVersion, Const_100000, WinVersion, SessionID, ModuleIDs fields; use these as network signature anchors in HTTP POST traffic. ↗
- →TrickBot exfiltrates data via HTTP POST with customized Content-Disposition headers; alert on anomalous Content-Disposition values in outbound POST requests. ↗
- →Emotet uses ECC (Elliptic Curve Cryptography) for C2 encryption; the specific public keys can be used as static signatures in memory or network traffic to identify Emotet samples. ↗
- ·CVE-2019-0630 exploitation status: Microsoft rates it 'Exploitation More Likely' for both latest and older software releases, but as of advisory publication it had NOT been publicly disclosed or actively exploited in the wild per Microsoft's own tracking. ↗
- ·The Emotet C2 IP list from the Qualys blog (2022-01-06) reflects a point-in-time snapshot of Emotet infrastructure; IPs rotate frequently and the list may include both active and stale entries. ↗
- ·The random-named folder and DLL filenames (e.g., abcdfg, bjdsdf.byk) are illustrative examples of the naming pattern, not fixed IOCs; actual filenames will differ per infection. ↗
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
vulncheck8.8HIGH
vendor_msrc7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-fmq9-923h-5cmq: A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 2
ghsa_unreviewed·2022-05-14·CVSS 8.8
CVE-2019-0633 [HIGH] GHSA-fmq9-923h-5cmq: A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 2
A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 2.0 (SMBv2) server handles certain requests, aka 'Windows SMB Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-0630.
GHSA
GHSA-9vjr-7mpv-6898: A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 2
ghsa_unreviewed·2022-05-14·CVSS 8.8
CVE-2019-0630 [HIGH] GHSA-9vjr-7mpv-6898: A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 2
A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 2.0 (SMBv2) server handles certain requests, aka 'Windows SMB Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-0633.
VulnCheck
Windows SMB Remote Code Execution
vulncheck·2019·CVSS 8.8
CVE-2019-0630 [HIGH] Windows SMB Remote Code Execution
Windows SMB Remote Code Execution
A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 2.0 (SMBv2) server handles certain requests, aka 'Windows SMB Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-0633.
Affected: Microsoft Windows
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.niiconsulting.com/Security_Advisories/Security_Advisory_Digest_April_edition_1_digest_pdf.pdf; https://blog.qualys.com/vulnerabilities-threat-research/2022/01/06/emotet-re-emerges-with-help-from-trickbot
VulnCheck
Windows SMB Remote Code Execution
vulncheck·2019·CVSS 8.8
CVE-2019-0633 [HIGH] Windows SMB Remote Code Execution
Windows SMB Remote Code Execution
A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 2.0 (SMBv2) server handles certain requests, aka 'Windows SMB Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-0630.
Affected: Microsoft Windows
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.niiconsulting.com/Security_Advisories/Security_Advisory_Digest_April_edition_1_digest_pdf.pdf; https://blog.qualys.com/vulnerabilities-threat-research/2022/01/06/emotet-re-emerges-with-help-from-trickbot
Microsoft
Windows SMB Remote Code Execution Vulnerability
vendor_msrc·2019-02-12·CVSS 7.5
CVE-2019-0630 [HIGH] Windows SMB Remote Code Execution Vulnerability
Windows SMB Remote Code Execution Vulnerability
Description: A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 2.0 (SMBv2) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.
To exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv2 server.
The security update addresses the vulnerability by correcting how SMBv2 handles these specially crafted requests.
Windows SMB Server: Windows SMB Server
Impact: Remote Code Execution
Exploit Status: Publicly Disclosed:No;Exploited:No;Latest Software Release:Exploitation More Likely;Older Software Release:Exploitation More Likely
Re
No detection rules found.
No public exploits indexed.
Qualys
Emotet Re-emerges with Help from TrickBot
blogs_qualys·2022-01-06
Emotet Re-emerges with Help from TrickBot
## Table of Contents
Background Information about TrickBot
Background Information about Emotet
Latest Findings for Emotet
Vulnerabilities Associated with TrickBot
Detection & Mitigation of a Emotet Attack
Emotet has recently reemerged after being taken down less than a year ago by global law enforcement as coordinated by Europol and Eurojust. The takedown was achieved after law enforcement compromised a command-and-control system, and then pushed a specially crafted update to Emotet agents that leveraged the botnet to remove itself.
Now Emotet is being resurrected with the help of TrickBot. BleepingComputer.com published two reports documenting this resurgence through both phishing campaigns and a fake Adobe Windows Installer .
## Background Information about TrickBot
## Summary
Trendmicro
February Patch Tuesday: Batch Includes 77 Updates
blogs_trendmicro·2019-02-13·CVSS 9.8
[CRITICAL] February Patch Tuesday: Batch Includes 77 Updates
Exploits & Vulnerabilities
## February Patch Tuesday: Batch Includes 77 Updates
Microsoft released 77 updates, along with three new advisories, in this month’s Patch Tuesday. It includes fixes for ChakraCore, Edge, Exchange Server, Internet Explorer (IE), Microsoft Windows, Office, among others.
By: Trend Micro Research Feb 13, 2019 Read time: ( words)
Save to Folio
It’s time to get security updates installed. Microsoft released 77 updates, along with three new advisories, in this month’s Patch Tuesday. The bulletin patches four publicly known bugs, rated Important, and one that is under active attack. It includes fixes for ChakraCore, Edge, Exchange Server, Internet Explorer (IE), Microsoft Windows, Office and Microsoft Office Services and Web Apps, Azure, Team Foundation Services, a
Trendmicro
February Patch Tuesday: Batch Includes 77 Updates
blogs_trendmicro·2019-02-13·CVSS 9.8
[CRITICAL] February Patch Tuesday: Batch Includes 77 Updates
Exploits & Vulnerabilities
# February Patch Tuesday: Batch Includes 77 Updates
Microsoft released 77 updates, along with three new advisories, in this month’s Patch Tuesday. It includes fixes for ChakraCore, Edge, Exchange Server, Internet Explorer (IE), Microsoft Windows, Office, among others.
By: Trend Micro Research
Feb 13, 2019
Read time: ( words)
Save to Folio
It’s time to get security updates installed. Microsoft released 77 updates, along with three new advisories, in this month’s Patch Tuesday. The bulletin patches four publicly known bugs, rated Important, and one that is under active attack. It includes fixes for ChakraCore, Edge, Exchange Server, Internet Explorer (IE), Microsoft Windows, Office and Microsoft Office Services and Web Apps, Azure, Team Foundation Services, a
Trendmicro
February Patch Tuesday: Batch Includes 77 Updates
blogs_trendmicro·2019-02-13·CVSS 9.8
[CRITICAL] February Patch Tuesday: Batch Includes 77 Updates
Exploits y vulnerabilidades
## February Patch Tuesday: Batch Includes 77 Updates
Microsoft released 77 updates, along with three new advisories, in this month’s Patch Tuesday. It includes fixes for ChakraCore, Edge, Exchange Server, Internet Explorer (IE), Microsoft Windows, Office, among others.
By: Trend Micro Research Feb 13, 2019 Read time: ( words)
Save to Folio
It’s time to get security updates installed. Microsoft released 77 updates, along with three new advisories, in this month’s Patch Tuesday. The bulletin patches four publicly known bugs, rated Important, and one that is under active attack. It includes fixes for ChakraCore, Edge, Exchange Server, Internet Explorer (IE), Microsoft Windows, Office and Microsoft Office Services and Web Apps, Azure, Team Foundation Services,
Trendmicro
February Patch Tuesday: Batch Includes 77 Updates
blogs_trendmicro·2019-02-13·CVSS 9.8
[CRITICAL] February Patch Tuesday: Batch Includes 77 Updates
Exploits & Vulnerabilities
## February Patch Tuesday: Batch Includes 77 Updates
Microsoft released 77 updates, along with three new advisories, in this month’s Patch Tuesday. It includes fixes for ChakraCore, Edge, Exchange Server, Internet Explorer (IE), Microsoft Windows, Office, among others.
By: Trend Micro Research 2019/02/13 Read time: ( words)
Save to Folio
It’s time to get security updates installed. Microsoft released 77 updates, along with three new advisories, in this month’s Patch Tuesday. The bulletin patches four publicly known bugs, rated Important, and one that is under active attack. It includes fixes for ChakraCore, Edge, Exchange Server, Internet Explorer (IE), Microsoft Windows, Office and Microsoft Office Services and Web Apps, Azure, Team Foundation Services, and
Trendmicro
February Patch Tuesday: Batch Includes 77 Updates
blogs_trendmicro·2019-02-13·CVSS 9.8
[CRITICAL] February Patch Tuesday: Batch Includes 77 Updates
Sfruttamento vulnerabilità
## February Patch Tuesday: Batch Includes 77 Updates
Microsoft released 77 updates, along with three new advisories, in this month’s Patch Tuesday. It includes fixes for ChakraCore, Edge, Exchange Server, Internet Explorer (IE), Microsoft Windows, Office, among others.
By: Trend Micro Research Feb 13, 2019 Read time: ( words)
Save to Folio
It’s time to get security updates installed. Microsoft released 77 updates, along with three new advisories, in this month’s Patch Tuesday. The bulletin patches four publicly known bugs, rated Important, and one that is under active attack. It includes fixes for ChakraCore, Edge, Exchange Server, Internet Explorer (IE), Microsoft Windows, Office and Microsoft Office Services and Web Apps, Azure, Team Foundation Services, a
Trendmicro
February Patch Tuesday: Batch Includes 77 Updates
blogs_trendmicro·2019-02-13·CVSS 9.8
[CRITICAL] February Patch Tuesday: Batch Includes 77 Updates
Ausnutzung von Schwachstellen
## February Patch Tuesday: Batch Includes 77 Updates
Microsoft released 77 updates, along with three new advisories, in this month’s Patch Tuesday. It includes fixes for ChakraCore, Edge, Exchange Server, Internet Explorer (IE), Microsoft Windows, Office, among others.
By: Trend Micro Research Feb 13, 2019 Read time: ( words)
Save to Folio
It’s time to get security updates installed. Microsoft released 77 updates, along with three new advisories, in this month’s Patch Tuesday. The bulletin patches four publicly known bugs, rated Important, and one that is under active attack. It includes fixes for ChakraCore, Edge, Exchange Server, Internet Explorer (IE), Microsoft Windows, Office and Microsoft Office Services and Web Apps, Azure, Team Foundation Services
Trendmicro
February Patch Tuesday: Batch Includes 77 Updates
blogs_trendmicro·2019-02-13·CVSS 9.8
[CRITICAL] February Patch Tuesday: Batch Includes 77 Updates
Exploits & Vulnerabilities
# February Patch Tuesday: Batch Includes 77 Updates
Microsoft released 77 updates, along with three new advisories, in this month’s Patch Tuesday. It includes fixes for ChakraCore, Edge, Exchange Server, Internet Explorer (IE), Microsoft Windows, Office, among others.
By: Trend Micro Research
2019/02/13
Read time: ( words)
Save to Folio
It’s time to get security updates installed. Microsoft released 77 updates, along with three new advisories, in this month’s Patch Tuesday. The bulletin patches four publicly known bugs, rated Important, and one that is under active attack. It includes fixes for ChakraCore, Edge, Exchange Server, Internet Explorer (IE), Microsoft Windows, Office and Microsoft Office Services and Web Apps, Azure, Team Foundation Services, and
Trendmicro
February Patch Tuesday: Batch Includes 77 Updates
blogs_trendmicro·2019-02-13·CVSS 9.8
[CRITICAL] February Patch Tuesday: Batch Includes 77 Updates
Exploits & Vulnerabilities
## February Patch Tuesday: Batch Includes 77 Updates
Microsoft released 77 updates, along with three new advisories, in this month’s Patch Tuesday. It includes fixes for ChakraCore, Edge, Exchange Server, Internet Explorer (IE), Microsoft Windows, Office, among others.
By: Trend Micro Research Feb 13, 2019 Read time: ( words)
Save to Folio
It’s time to get security updates installed. Microsoft released 77 updates, along with three new advisories, in this month’s Patch Tuesday. The bulletin patches four publicly known bugs, rated Important, and one that is under active attack. It includes fixes for ChakraCore, Edge, Exchange Server, Internet Explorer (IE), Microsoft Windows, Office and Microsoft Office Services and Web Apps, Azure, Team Foundation Services, a
2019-03-05
Published
Exploited in the wild