CVE-2017-0144:CVE-2017-0144 is a remote code execution vulnerability in the SMBv1 server of several Windows versions that allows an attacker to execute arbitrary code by sending crafted SMB packets.

splash
Back

Description Preview

The SMBv1 server in affected Windows platforms (including Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 versions 1507/1511/1607, and Windows Server 2016) is exploitable by remote attackers through specially crafted packets, enabling arbitrary code execution with the potential for full system compromise. This vulnerability is distinct from CVE-2017-0143, CVE-2017-0145, CVE-2017-0146, and CVE-2017-0148. It is commonly referred to in relation to the SMB Remote Code Execution family and was widely publicized as an active exploit vector in 2017.

Overview

The vulnerability enables remote code execution via the SMBv1 service, spanning multiple Windows client and server releases. It can be triggered by crafted network traffic over SMB, often requiring no user interaction and enabling potential worm-like propagation. This CVE is separate from other SMB-related flaws disclosed around the same time and became infamous due to high-profile exploitation in the wild.

Remediation

  • Apply the Microsoft security update for CVE-2017-0144 (MS17-010) across all affected Windows systems and servers.
  • Disable SMBv1 on all systems to reduce exposure. Recommended commands:
    • PowerShell: Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol
    • or DISM: dism /online /norestart /disable-feature:SMB1Protocol After disabling, reboot as required.
  • Enable and rely on SMBv2/SMBv3 only; ensure configurations and services that require SMBv1 are migrated or isolated.
  • Block or restrict SMB traffic at the network edge:
    • Block inbound TCP 445 to internal networks from untrusted networks.
    • Apply firewall rules to limit SMB access to trusted subnets or hosts only.
  • For environments with legacy devices that must use SMBv1:
    • Isolate those devices on a separate network segment with strict access controls.
    • Plan an upgrade or vendor patch to discontinue SMBv1 usage.
  • Validate patching status and conduct regular vulnerability scans; monitor for exploit attempts and enable appropriate EDR/IDS detections.
  • Maintain up-to-date antivirus/anti-malware signatures and security baselines; educate operators about this attack vector and best practices.

References

  • Microsoft Security Advisory: CVE-2017-0144 (MS17-010) https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0144
  • MITRE CVE: CVE-2017-0144 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0144
  • Exploit-DB: Exploit for CVE-2017-0144 (42031) https://www.exploit-db.com/exploits/42031/
  • Exploit-DB: Exploit for CVE-2017-0144 (42030) https://www.exploit-db.com/exploits/42030/
  • Exploit-DB: Exploit for CVE-2017-0144 (41891) https://www.exploit-db.com/exploits/41891/
  • SecurityTracker: 1037991 https://www.securitytracker.com/id/1037991
  • Siemens CERT: SSA-701903 https://cert-portal.siemens.com/productcert/pdf/ssa-701903.pdf
  • ICS-CERT Advisory: ICSMA-18-058-02 https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02
  • Exploit-DB: Exploit 41987 https://www.exploit-db.com/exploits/41987/
  • SecurityFocus BID: 96704 http://www.securityfocus.com/bid/96704
  • Siemens CERT: SSA-966341 https://cert-portal.siemens.com/productcert/pdf/ssa-966341.pdf
  • PacketStorm: DoublePulsar Payload Neutralization http://packetstormsecurity.com/files/154690/DOUBLEPULSAR-Payload-Execution-Neutralization.html
  • PacketStorm: SMB-DOUBLEPULSAR Remote-Code-Execution http://packetstormsecurity.com/files/156196/SMB-DOUBLEPULSAR-Remote-Code-Execution.html

Early Warning

Customers using Armis Early Warning were notified about this vulnerability before it appeared in CISA's Known Exploited Vulnerabilities Catalog, enabling them to assess their exposure and act proactively. Armis offers these examples of CVEs already included in CISA KEV for potential customers. Click here to learn how to receive alerts earlier.

Armis Alert Date
Mar 15, 2017
CISA KEV Date
Feb 10, 2022
1793days early

Industry ExposureMost to least
This section illustrates the prevalence of a specific Common Vulnerabilities and Exposures (CVE) across various industries based on customer reports. The ranking displays industries from the most to least affected by this particular vulnerability, offering valuable insight into where this CVE has been most frequently observed. This information can help organizations within these sectors prioritize their security efforts, understand their relative risk exposure compared to their peers, and focus remediation strategies where they are most needed. By understanding the industry-specific impact, organizations can make more informed decisions regarding patching, resource allocation, and overall risk management related to this CVE.

  1. Manufacturing: Medium
    Manufacturing
  2. Health Care & Social Assistance: Medium
    Health Care & Social Assistance
  3. Public Administration: Low
    Public Administration
  4. Transportation & Warehousing: Low
    Transportation & Warehousing
  5. Retail Trade: Low
    Retail Trade
  6. Arts, Entertainment & Recreation: Low
    Arts, Entertainment & Recreation
  7. Finance and Insurance: Low
    Finance and Insurance
  8. Professional, Scientific, & Technical Services: Low
    Professional, Scientific, & Technical Services
  9. Educational Services: Low
    Educational Services
  10. Management of Companies & Enterprises: Low
    Management of Companies & Enterprises
  11. Other Services (except Public Administration): Low
    Other Services (except Public Administration)
  12. Utilities: Low
    Utilities
  13. Accommodation & Food Services: Low
    Accommodation & Food Services
  14. Information: Low
    Information
  15. Administrative, Support, Waste Management & Remediation Services: Low
    Administrative, Support, Waste Management & Remediation Services
  16. Agriculture, Forestry Fishing & Hunting: Low
    Agriculture, Forestry Fishing & Hunting
  17. Construction: Low
    Construction
  18. Mining: Low
    Mining
  19. Real Estate Rental & Leasing: Low
    Real Estate Rental & Leasing
  20. Wholesale Trade: Low
    Wholesale Trade

Focus on What Matters

  1. See Everything.
  2. Identify True Risk.
  3. Proactively Mitigate Threats.

Let's talk!

background