On October 10, 2017 (Patch Tuesday), Microsoft released updates to fix multiple security vulnerabilities, including a remote code execution vulnerability in Microsoft Windows SMB Server. According to the statement on Microsoft official website, this vulnerability, if successfully exploited, allows remote attackers to run any code on a target system. A failed attack leads to denial of service.
Note: Windows SMB Server is a software service with many vulnerabilities, which can cause severe damage if they are successfully exploited to initiate attacks. Alibaba Cloud Security strongly recommends that you pay close attention to this vulnerability, check your system, and install latest patches as soon as possible to prevent security incidents.
See the following for more information about the vulnerability.
CVE identifier
CVE-2017-11780
Vulnerability name
Microsoft Windows SMB Server remote code execution vulnerability
Vulnerability rating
Important
Vulnerability description
This vulnerability allows attackers to run any code on a target system. A failed attack leads to denial of service, which brings security risks to business.
Condition and method of exploitation
Remote exploitation
Affected products
Desktop operating systems
- Microsoft Windows 10 Version1607 for 32-bit Systems
- Microsoft Windows 10 Version1607 for x64-based Systems
- Microsoft Windows 10 for 32-bitSystems
- Microsoft Windows 10 forx64-based Systems
- Microsoft Windows 10 version1511 for 32-bit Systems
- Microsoft Windows 10 version1511 for x64-based Systems
- Microsoft Windows 10 version1703 for 32-bit Systems
- Microsoft Windows 10 version1703 for x64-based Systems
- Microsoft Windows 7 for 32-bitSystems SP1
- Microsoft Windows 7 for x64-basedSystems SP1
- Microsoft Windows 8.1 for32-bit Systems
- Microsoft Windows 8.1 forx64-based Systems
- Microsoft Windows RT 8.1
Server operation systems
- Microsoft Windows Server 2008R2 for Itanium-based Systems SP1
- Microsoft Windows Server 2008R2 for x64-based Systems SP1
- Microsoft Windows Server 2008for 32-bit Systems SP2
- Microsoft Windows Server 2008for Itanium-based Systems SP2
- Microsoft Windows Server 2008for x64-based Systems SP2
- Microsoft Windows Server 2012
- Microsoft Windows Server 2012R2
- Microsoft Windows Server 2016
Vulnerability detection
Development or O&M personnel check whether the SMB Server is enabled and whether ports 445 and 139 are accessible to external users.
How to fix or mitigate
Disable the SMB Server or use the Internet inbound and intranet inbound security group policies to prohibit access to ports 445 and 139.
Install the patches released by Microsoft to fix the vulnerability. Click Check for updates in Windows Update, and then download and install patches related to your business. After installing the patches, restart the server and check the system running status.
Use Alibaba Cloud Security Server Guard to detect and fix this vulnerability.
Reference
[1]. https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11780
[2]. https://www.symantec.com/security_response/vulnerability.jsp?bid=101110&om_rssid=sr-advisories
[3]. http://www.securityfocus.com/bid/101110/info