Multiple vulnerabilities in Microsoft Windows SMB Server

Published: 2017-03-14 | Updated: 2017-04-15
Severity Critical
Patch available YES
Number of vulnerabilities 6
CVE ID CVE-2017-0143
CVE-2017-0144
CVE-2017-0145
CVE-2017-0146
CVE-2017-0148
CVE-2017-0147
CWE ID CWE-20
CWE-200
Exploitation vector Network
Public exploit Public exploit code for vulnerability #1 is available.
Public exploit code for vulnerability #2 is available.
Public exploit code for vulnerability #3 is available.
Vulnerability #4 is being exploited in the wild.
Public exploit code for vulnerability #5 is available.
Vulnerability #6 is being exploited in the wild.
Vulnerable software Windows Subscribe
Windows Server
Vendor Microsoft

Security Advisory

Five out of six vulnerabilities were used in targeted attacks, according to the latest Shadow Brokers leak. The exploit codes in question, dubbed as EternalBlue, EternalChampion, EternalRomance and EternalSynergyare publicly available. Therefore we are rising the severity level for this advisory to critical.

1) Improper input validation

Severity: High

CVSSv3: 9.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:F/RL:O/RC:C] [PCI]

CVE-ID: CVE-2017-0143

CWE-ID: CWE-20 - Improper Input Validation

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to an error when parsing requests in Microsoft Server Message Block 1.0 (SMBv1) server. A remote unauthenticated attacker can send specially crafted SMB packets and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Windows: 7, 8.1, 10, RT 8.1, Vista

Windows Server: 2008, 2008 R2, 2012, 2012 R2, 2016

CPE External links

https://technet.microsoft.com/en-us/library/security/MS17-010

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, a fully functional exploit for this vulnerability is available.

2) Improper input validation

Severity: High

CVSSv3: 9.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:F/RL:O/RC:C] [PCI]

CVE-ID: CVE-2017-0144

CWE-ID: CWE-20 - Improper Input Validation

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to an error when parsing requests in Microsoft Server Message Block 1.0 (SMBv1) server. A remote unauthenticated attacker can send specially crafted SMB packets and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Windows: 7, 8.1, 10, RT 8.1, Vista

Windows Server: 2008, 2008 R2, 2012, 2012 R2, 2016

CPE External links

https://technet.microsoft.com/en-us/library/security/MS17-010

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, a fully functional exploit for this vulnerability is available.

3) Improper input validation

Severity: High

CVSSv3: 9.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:F/RL:O/RC:C] [PCI]

CVE-ID: CVE-2017-0145

CWE-ID: CWE-20 - Improper Input Validation

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to an error when parsing requests in Microsoft Server Message Block 1.0 (SMBv1) server. A remote unauthenticated attacker can send specially crafted SMB packets and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Windows: 7, 8.1, 10, RT 8.1, Vista

Windows Server: 2008, 2008 R2, 2012, 2012 R2, 2016

CPE External links

https://technet.microsoft.com/en-us/library/security/MS17-010

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, a fully functional exploit for this vulnerability is available.

4) Improper input validation

Severity: Critical

CVSSv3: 9.5 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C] [PCI]

CVE-ID: CVE-2017-0146

CWE-ID: CWE-20 - Improper Input Validation

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to an error when parsing requests in Microsoft Server Message Block 1.0 (SMBv1) server. A remote unauthenticated attacker can send specially crafted SMB packets and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Note: this vulnerability has been exploited in the wild and is publicly known as EternalChampion exploit.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Windows: 7, 8.1, 10, RT 8.1, Vista

Windows Server: 2008, 2008 R2, 2012, 2012 R2, 2016

CPE External links

https://technet.microsoft.com/en-us/library/security/MS17-010

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.

5) Improper input validation

Severity: High

CVSSv3: 9.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:F/RL:O/RC:C] [PCI]

CVE-ID: CVE-2017-0148

CWE-ID: CWE-20 - Improper Input Validation

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to an error when parsing requests in Microsoft Server Message Block 1.0 (SMBv1) server. A remote unauthenticated attacker can send specially crafted SMB packets and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Windows: 7, 8.1, 10, RT 8.1, Vista

Windows Server: 2008, 2008 R2, 2012, 2012 R2, 2016

CPE External links

https://technet.microsoft.com/en-us/library/security/MS17-010

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, a fully functional exploit for this vulnerability is available.

6) Information disclosure

Severity: Medium

CVSSv3: 5.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N/E:H/RL:O/RC:C] [PCI]

CVE-ID: CVE-2017-0147

CWE-ID: CWE-200 - Information Exposure

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to an error when parsing requests in Microsoft Server Message Block 1.0 (SMBv1) server. A remote unauthenticated attacker can send specially crafted SMB packets and gain access to potentially sensitive data.

Successful exploitation of this vulnerability may allow an attacker to gain access to potentially sensitive information.

Note: this vulnerability has been exploited in the wild and is publicly known as EternalChampion exploit.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Windows: 7, 8.1, 10, RT 8.1, Vista

Windows Server: 2008, 2008 R2, 2012, 2012 R2, 2016

CPE External links

https://technet.microsoft.com/en-us/library/security/MS17-010

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.