Critical Flaw in SMB1 could allow remote code execution on Active Directory Domain Controllers (MS17-010, KB4013389)

Reading Time: 2 minutes

Today, for its March 2017 Patch Tuesday, Microsoft released a security update for supported versions of Windows Server offering File Sharing services using the Server Message Block (SMB) version 1.0 protocol.

The security update addresses the vulnerabilities by correcting how SMBv1 handles specially crafted requests.

 

About the vulnerabilities

The vulnerabilities that are fixed with this security update are:

Remote code execution vulnerabilities exist in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerabilities could gain the ability to execute code on the target server.

To exploit the vulnerability, in most situations, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv1 server.

Affected Operating Systems

All currently supported Windows versions and Windows Server versions are affected.
Both Full installations and Server Core installations are affected.

Note:
Windows Server 2003 is also affected, but not supported anymore. The above SMBv1 vulnerabilities remain in this version of Windows Server.

 

About the update

The security update addresses the vulnerabilities by correcting how SMBv1 handles these specially crafted requests.

To apply the update, install the following update per Windows and/or Windows Server version:

Windows Vista with Service Pack 2 x86 KB4012598
Windows Vista with Service Pack 2 x64 KB4012598
Windows Server 2008 with Service Pack 2 x86 KB4012598
Windows Server 2008 with Service Pack 2 x64 KB401259
Windows 7 with Service Pack 1 x86 KB4012212 or KB4012215
Windows 7 with Service Pack 1 x64 KB4012212 or KB4012215
Windows Server 2008 R2 with Service Pack 1 KB4012212 or KB4012215
Windows 8.1 x86 KB4012213 or KB4012216
Windows 8.1 x64 KB4012213 or KB4012216
Windows Server 2012 KB4012214 or KB4012217
Windows Server 2012 R2 KB4012213 or KB4012216
Windows 10 x86 KB4012606
Windows 10 x64 KB4012606
Windows 10 version 1511 x86 KB4013198
Windows 10 version 1511 x64 KB4013198
Windows 10 version 1607 x86 KB4013429
Windows 10 version 1607 x64 KB4013429
Windows Server 2016 KB4013429

 

Call to action

I urge you to install the necessary security updates  on Windows Server installations, running as Active Directory Domain Controllers, in a test environment as soon as possible, assess the risk and possible impact on your production environment and then, roll out this update to Windows Server installations, running as Active Directory Domain Controllers, in the production environment.

Disabling SMBv1 on these systems is the recommended action for the longer run.
Microsoft KnowledgeBase Article 2696547 describes how to disable SMB v1 on supported Windows and Windows Server versions. An auditing-only mode is available to assess the impact of disabling SMBv1, too.

One Response to Critical Flaw in SMB1 could allow remote code execution on Active Directory Domain Controllers (MS17-010, KB4013389)

  1.  

    Hi,

    Thanks for the post.

    My vulnerability scanner (AlienVault) is reporting that this vulnerability still exists after installing the Microsoft update.

    Does the patch truly close the vulnerability or is it necessary to completely disable it using the reg key method detailed in article 2696547?

    Thanks

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.