Today, for its March 2017 Patch Tuesday, Microsoft released a security update for supported versions of Windows Server offering File Sharing services using the Server Message Block (SMB) version 1.0 protocol.
The security update addresses the vulnerabilities by correcting how SMBv1 handles specially crafted requests.
About the vulnerabilities
The vulnerabilities that are fixed with this security update are:
- Windows SMB Remote Code Execution Vulnerability – CVE-2017-0143
- Windows SMB Remote Code Execution Vulnerability – CVE-2017-0144
- Windows SMB Remote Code Execution Vulnerability – CVE-2017-0145
- Windows SMB Remote Code Execution Vulnerability – CVE-2017-0146
- Windows SMB Information Disclosure Vulnerability – CVE-2017-0147
- Windows SMB Remote Code Execution Vulnerability – CVE-2017-0148
Remote code execution vulnerabilities exist in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerabilities could gain the ability to execute code on the target server.
To exploit the vulnerability, in most situations, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv1 server.
Affected Operating Systems
All currently supported Windows versions and Windows Server versions are affected.
Both Full installations and Server Core installations are affected.
Windows Server 2003 is also affected, but not supported anymore. The above SMBv1 vulnerabilities remain in this version of Windows Server.
About the update
The security update addresses the vulnerabilities by correcting how SMBv1 handles these specially crafted requests.
To apply the update, install the following update per Windows and/or Windows Server version:
|Windows Vista with Service Pack 2 x86||KB4012598|
|Windows Vista with Service Pack 2 x64||KB4012598|
|Windows Server 2008 with Service Pack 2 x86||KB4012598|
|Windows Server 2008 with Service Pack 2 x64||KB401259|
|Windows 7 with Service Pack 1 x86||KB4012212 or KB4012215|
|Windows 7 with Service Pack 1 x64||KB4012212 or KB4012215|
|Windows Server 2008 R2 with Service Pack 1||KB4012212 or KB4012215|
|Windows 8.1 x86||KB4012213 or KB4012216|
|Windows 8.1 x64||KB4012213 or KB4012216|
|Windows Server 2012||KB4012214 or KB4012217|
|Windows Server 2012 R2||KB4012213 or KB4012216|
|Windows 10 x86||KB4012606|
|Windows 10 x64||KB4012606|
|Windows 10 version 1511 x86||KB4013198|
|Windows 10 version 1511 x64||KB4013198|
|Windows 10 version 1607 x86||KB4013429|
|Windows 10 version 1607 x64||KB4013429|
|Windows Server 2016||KB4013429|
Call to action
I urge you to install the necessary security updates on Windows Server installations, running as Active Directory Domain Controllers, in a test environment as soon as possible, assess the risk and possible impact on your production environment and then, roll out this update to Windows Server installations, running as Active Directory Domain Controllers, in the production environment.
Disabling SMBv1 on these systems is the recommended action for the longer run.
Microsoft KnowledgeBase Article 2696547 describes how to disable SMB v1 on supported Windows and Windows Server versions. An auditing-only mode is available to assess the impact of disabling SMBv1, too.
Thanks for the post.
My vulnerability scanner (AlienVault) is reporting that this vulnerability still exists after installing the Microsoft update.
Does the patch truly close the vulnerability or is it necessary to completely disable it using the reg key method detailed in article 2696547?