CVE-2017-0146

Microsoft Windows SMB Remote Code Execution Vulnerability

Severity Score

8.1

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

Yes

*KEV

Decision

*SSVC

Descriptions

The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka "Windows SMB Remote Code Execution Vulnerability." This vulnerability is different from those described in CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, and CVE-2017-0148.

El servidor SMBv1 en Microsoft Windows Vista SP2; Windows Server 2008 SP2 y R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold y R2; Windows RT 8.1; y Windows 10 Gold, 1511 y 1607; y Windows Server 2016 permite a atacantes remotos ejecutar código arbitrario a través de paquetes manipulados, vulnerabilidad también conocida como Windows SMB Remote Code Execution Vulnerability". Esta vulnerabilidad es diferente de la descrita en CVE-2017-0143, CVE-2017-0144, CVE-2017-0145 y CVE-2017-0148.

The SMBv1 server in Microsoft Windows allows remote attackers to perform remote code execution.

*Credits: N/A

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2016-09-09 CVE Reserved
2017-03-17 CVE Published
2019-10-02 First Exploit
2022-03-25 Exploited in Wild
2022-04-15 KEV Due Date
2024-07-17 EPSS Updated
2024-08-05 CVE Updated

CWE

CWE-20: Improper Input Validation

CAPEC

References (18)

URL	Tag	Source
http://packetstormsecurity.com/files/154690/DOUBLEPULSAR-Payload-Execution-Neutralization.html	X_refsource_misc
http://packetstormsecurity.com/files/156196/SMB-DOUBLEPULSAR-Remote-Code-Execution.html	X_refsource_misc
http://www.securityfocus.com/bid/96707	Vdb Entry
http://www.securitytracker.com/id/1037991	Vdb Entry
https://cert-portal.siemens.com/productcert/pdf/ssa-701903.pdf	X_refsource_confirm
https://cert-portal.siemens.com/productcert/pdf/ssa-966341.pdf	X_refsource_confirm
https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02	X_refsource_misc
https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html
https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique
https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader
https://github.com/countercept/doublepulsar-detection-script
https://github.com/countercept/doublepulsar-c2-traffic-decryptor
https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1

URL	Date	SRC
https://www.exploit-db.com/exploits/41891	2024-08-05
https://www.exploit-db.com/exploits/47456	2019-10-02
https://www.exploit-db.com/exploits/43970	2024-08-05
https://www.exploit-db.com/exploits/41987	2024-08-05

URL	Date	SRC
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0146	2018-06-21

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Microsoft Search vendor "Microsoft"	Server Message Block Search vendor "Microsoft" for product "Server Message Block"	1.0 Search vendor "Microsoft" for product "Server Message Block" and version "1.0"	-	Affected	in	Microsoft Search vendor "Microsoft"	Windows 10 Search vendor "Microsoft" for product "Windows 10"	*	-	Safe
Microsoft Search vendor "Microsoft"	Server Message Block Search vendor "Microsoft" for product "Server Message Block"	1.0 Search vendor "Microsoft" for product "Server Message Block" and version "1.0"	-	Affected	in	Microsoft Search vendor "Microsoft"	Windows 10 Search vendor "Microsoft" for product "Windows 10"	1511 Search vendor "Microsoft" for product "Windows 10" and version "1511"	-	Safe
Microsoft Search vendor "Microsoft"	Server Message Block Search vendor "Microsoft" for product "Server Message Block"	1.0 Search vendor "Microsoft" for product "Server Message Block" and version "1.0"	-	Affected	in	Microsoft Search vendor "Microsoft"	Windows 10 Search vendor "Microsoft" for product "Windows 10"	1607 Search vendor "Microsoft" for product "Windows 10" and version "1607"	-	Safe
Microsoft Search vendor "Microsoft"	Server Message Block Search vendor "Microsoft" for product "Server Message Block"	1.0 Search vendor "Microsoft" for product "Server Message Block" and version "1.0"	-	Affected	in	Microsoft Search vendor "Microsoft"	Windows 7 Search vendor "Microsoft" for product "Windows 7"	-	sp1	Safe
Microsoft Search vendor "Microsoft"	Server Message Block Search vendor "Microsoft" for product "Server Message Block"	1.0 Search vendor "Microsoft" for product "Server Message Block" and version "1.0"	-	Affected	in	Microsoft Search vendor "Microsoft"	Windows 8.1 Search vendor "Microsoft" for product "Windows 8.1"	*	-	Safe
Microsoft Search vendor "Microsoft"	Server Message Block Search vendor "Microsoft" for product "Server Message Block"	1.0 Search vendor "Microsoft" for product "Server Message Block" and version "1.0"	-	Affected	in	Microsoft Search vendor "Microsoft"	Windows Rt 8.1 Search vendor "Microsoft" for product "Windows Rt 8.1"	-	-	Safe
Microsoft Search vendor "Microsoft"	Server Message Block Search vendor "Microsoft" for product "Server Message Block"	1.0 Search vendor "Microsoft" for product "Server Message Block" and version "1.0"	-	Affected	in	Microsoft Search vendor "Microsoft"	Windows Server 2008 Search vendor "Microsoft" for product "Windows Server 2008"	-	sp2	Safe
Microsoft Search vendor "Microsoft"	Server Message Block Search vendor "Microsoft" for product "Server Message Block"	1.0 Search vendor "Microsoft" for product "Server Message Block" and version "1.0"	-	Affected	in	Microsoft Search vendor "Microsoft"	Windows Server 2008 Search vendor "Microsoft" for product "Windows Server 2008"	r2 Search vendor "Microsoft" for product "Windows Server 2008" and version "r2"	sp1	Safe
Microsoft Search vendor "Microsoft"	Server Message Block Search vendor "Microsoft" for product "Server Message Block"	1.0 Search vendor "Microsoft" for product "Server Message Block" and version "1.0"	-	Affected	in	Microsoft Search vendor "Microsoft"	Windows Server 2012 Search vendor "Microsoft" for product "Windows Server 2012"	-	gold	Safe
Microsoft Search vendor "Microsoft"	Server Message Block Search vendor "Microsoft" for product "Server Message Block"	1.0 Search vendor "Microsoft" for product "Server Message Block" and version "1.0"	-	Affected	in	Microsoft Search vendor "Microsoft"	Windows Server 2012 Search vendor "Microsoft" for product "Windows Server 2012"	r2 Search vendor "Microsoft" for product "Windows Server 2012" and version "r2"	-	Safe
Microsoft Search vendor "Microsoft"	Server Message Block Search vendor "Microsoft" for product "Server Message Block"	1.0 Search vendor "Microsoft" for product "Server Message Block" and version "1.0"	-	Affected	in	Microsoft Search vendor "Microsoft"	Windows Server 2016 Search vendor "Microsoft" for product "Windows Server 2016"	-	-	Safe
Microsoft Search vendor "Microsoft"	Server Message Block Search vendor "Microsoft" for product "Server Message Block"	1.0 Search vendor "Microsoft" for product "Server Message Block" and version "1.0"	-	Affected	in	Microsoft Search vendor "Microsoft"	Windows Vista Search vendor "Microsoft" for product "Windows Vista"	-	sp2	Safe