Microsoft Windows SMBv1 Multiple Vulnerabilities

Critical Nessus Plugin ID 100464

Synopsis

The remote Windows host is affected by multiple vulnerabilities.

Description

The remote Windows host has Microsoft Server Message Block 1.0 (SMBv1) enabled. It is, therefore, affected by multiple vulnerabilities :

- Multiple information disclosure vulnerabilities exist in Microsoft Server Message Block 1.0 (SMBv1) due to improper handling of SMBv1 packets. An unauthenticated, remote attacker can exploit these vulnerabilities, via a specially crafted SMBv1 packet, to disclose sensitive information. (CVE-2017-0267, CVE-2017-0268, CVE-2017-0270, CVE-2017-0271, CVE-2017-0274, CVE-2017-0275, CVE-2017-0276)

- Multiple denial of service vulnerabilities exist in Microsoft Server Message Block 1.0 (SMBv1) due to improper handling of requests. An unauthenticated, remote attacker can exploit these vulnerabilities, via a specially crafted SMB request, to cause the system to stop responding. (CVE-2017-0269, CVE-2017-0273, CVE-2017-0280)

- Multiple remote code execution vulnerabilities exist in Microsoft Server Message Block 1.0 (SMBv1) due to improper handling of SMBv1 packets. An unauthenticated, remote attacker can exploit these vulnerabilities, via a specially crafted SMBv1 packet, to execute arbitrary code. (CVE-2017-0272, CVE-2017-0277, CVE-2017-0278, CVE-2017-0279)

Depending on the host's security policy configuration, this plugin cannot always correctly determine if the Windows host is vulnerable if the host is running a later Windows version (i.e., Windows 8.1, 10, 2012, 2012 R2, and 2016) specifically that named pipes and shares are allowed to be accessed remotely and anonymously. Tenable does not recommend this configuration, and the hosts should be checked locally for patches with one of the following plugins, depending on the Windows version : 100054, 100055, 100057, 100059, 100060, or 100061.

Solution

Apply the applicable security update for your Windows version :

- Windows Server 2008 : KB4018466
- Windows 7 : KB4019264
- Windows Server 2008 R2 : KB4019264
- Windows Server 2012 : KB4019216
- Windows 8.1 / RT 8.1. : KB4019215
- Windows Server 2012 R2 : KB4019215
- Windows 10 : KB4019474
- Windows 10 Version 1511 : KB4019473
- Windows 10 Version 1607 : KB4019472
- Windows 10 Version 1703 : KB4016871
- Windows Server 2016 : KB4019472

See Also

http://www.nessus.org/u?c21268d4

http://www.nessus.org/u?b9253982

http://www.nessus.org/u?23802c83

http://www.nessus.org/u?8313bb60

http://www.nessus.org/u?7677c678

http://www.nessus.org/u?36da236c

http://www.nessus.org/u?0981b934

http://www.nessus.org/u?c88efefa

http://www.nessus.org/u?695bf5cc

http://www.nessus.org/u?459a1e8c

http://www.nessus.org/u?ea45bbc5

http://www.nessus.org/u?4195776a

http://www.nessus.org/u?fbf092cf

http://www.nessus.org/u?8c0cc566

Plugin Details

Severity: Critical

ID: 100464

File Name: ms17_may_smbv1.nasl

Version: 1.3

Type: remote

Agent: windows

Family: Windows

Published: 2017/05/26

Updated: 2018/07/16

Dependencies: 11936, 96982

Risk Information

Risk Factor: Critical

CVSS v2.0

Base Score: 10

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:U/RL:OF/RC:C

CVSS v3.0

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:microsoft:windows

Exploit Available: false

Exploit Ease: No known exploits are available

Patch Publication Date: 2017/05/09

Vulnerability Publication Date: 2017/05/09

Reference Information

CVE: CVE-2017-0267, CVE-2017-0268, CVE-2017-0269, CVE-2017-0270, CVE-2017-0271, CVE-2017-0272, CVE-2017-0273, CVE-2017-0274, CVE-2017-0275, CVE-2017-0276, CVE-2017-0277, CVE-2017-0278, CVE-2017-0279, CVE-2017-0280

BID: 98259, 98260, 98261, 98263, 98264, 98265, 98266, 98267, 98268, 98270, 98271, 98272, 98273, 98274