CVE-2017-0144:
CVE-2017-0144 is a remote code execution vulnerability in the SMBv1 server of several Windows versions that allows an attacker to execute arbitrary code by sending crafted SMB packets.
Score
A numerical rating that indicates how dangerous this vulnerability is.
8.8High- Published Date:Mar 17, 2017
- CISA KEV Date:Feb 10, 2022
- Industries Affected:20
1791 DaysThreat Predictions
- EPSS Score:94.3
- EPSS Percentile:100%
Exploitability
- Score:2.8
- Attack Vector:NETWORK
- Attack Complexity:LOW
- Privileges Required:LOW
- User Interaction:NONE
- Scope:UNCHANGED
Impact
- Score:5.9
- Confidentiality Impact:HIGH
- Integrity Impact:HIGH
- Availability Impact:HIGH
Description Preview
CVE-2017-0144 is a remote code execution vulnerability in the SMBv1 server of several Windows versions that allows an attacker to execute arbitrary code by sending crafted SMB packets.
Overview
The vulnerability enables remote code execution via the SMBv1 service, spanning multiple Windows client and server releases. It can be triggered by crafted network traffic over SMB, often requiring no user interaction and enabling potential worm-like propagation. This CVE is separate from other SMB-related flaws disclosed around the same time and became infamous due to high-profile exploitation in the wild.
Remediation
- Apply the Microsoft security update for CVE-2017-0144 (MS17-010) across all affected Windows systems and servers.
- Disable SMBv1 on all systems to reduce exposure. Recommended commands:
- PowerShell: Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol
- or DISM: dism /online /norestart /disable-feature:SMB1Protocol
- After disabling, reboot as required.
- Enable and rely on SMBv2/SMBv3 only; ensure configurations and services that require SMBv1 are migrated or isolated.
- Block or restrict SMB traffic at the network edge:
- Block inbound TCP 445 to internal networks from untrusted networks.
- Apply firewall rules to limit SMB access to trusted subnets or hosts only.
- For environments with legacy devices that must use SMBv1:
- Isolate those devices on a separate network segment with strict access controls.
- Plan an upgrade or vendor patch to discontinue SMBv1 usage.
- Validate patching status and conduct regular vulnerability scans; monitor for exploit attempts and enable appropriate EDR/IDS detections.
- Maintain up-to-date antivirus/anti-malware signatures and security baselines; educate operators about this attack vector and best practices.
References
- - Microsoft Security Advisory: CVE-2017-0144 (MS17-010) https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0144
- - MITRE CVE: CVE-2017-0144 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0144
- - Exploit-DB: Exploit for CVE-2017-0144 (42031) https://www.exploit-db.com/exploits/42031/
- - Exploit-DB: Exploit for CVE-2017-0144 (42030) https://www.exploit-db.com/exploits/42030/
- - Exploit-DB: Exploit for CVE-2017-0144 (41891) https://www.exploit-db.com/exploits/41891/
- - SecurityTracker: 1037991 https://www.securitytracker.com/id/1037991
- - Siemens CERT: SSA-701903 https://cert-portal.siemens.com/productcert/pdf/ssa-701903.pdf
- - ICS-CERT Advisory: ICSMA-18-058-02 https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02
- - Exploit-DB: Exploit 41987 https://www.exploit-db.com/exploits/41987/
- - SecurityFocus BID: 96704 http://www.securityfocus.com/bid/96704
- - Siemens CERT: SSA-966341 https://cert-portal.siemens.com/productcert/pdf/ssa-966341.pdf
- - PacketStorm: DoublePulsar Payload Neutralization http://packetstormsecurity.com/files/154690/DOUBLEPULSAR-Payload-Execution-Neutralization.html
- - PacketStorm: SMB-DOUBLEPULSAR Remote-Code-Execution http://packetstormsecurity.com/files/156196/SMB-DOUBLEPULSAR-Remote-Code-Execution.html
Armis Early Warning
Armis Early Warning provides proactive threat intelligence and early detection capabilities.Click here to learn more.
- Armis Alert Date:Mar 15, 2017
- CISA KEV Date:Feb 10, 2022
- Days Early:1791 Days
Industries Affected
Below is a list of industries most commonly impacted or potentially at risk based on intelligence.
