edit-icon download-icon

[Vulnerability notice] CVE-2017-11780: Remote code execution vulnerability in Microsoft Windows SMB Server

Last Updated: Mar 12, 2018

On October 10, 2017 (Patch Tuesday), Microsoft released updates to fix multiple security vulnerabilities, including a remote code execution vulnerability in Microsoft Windows SMB Server. According to the statement on Microsoft official website, this vulnerability, if successfully exploited, allows remote attackers to run any code on a target system. A failed attack leads to denial of service.

Note: Windows SMB Server is a software service with many vulnerabilities, which can cause severe damage if they are successfully exploited to initiate attacks. Alibaba Cloud Security strongly recommends that you pay close attention to this vulnerability, check your system, and install latest patches as soon as possible to prevent security incidents.

See the following for more information about the vulnerability.


CVE identifier

CVE-2017-11780

Vulnerability name

Microsoft Windows SMB Server remote code execution vulnerability

Vulnerability rating

Important

Vulnerability description

This vulnerability allows attackers to run any code on a target system. A failed attack leads to denial of service, which brings security risks to business.

Condition and method of exploitation

Remote exploitation

Affected products

  • Desktop operating systems

    • Microsoft Windows 10 Version1607 for 32-bit Systems
    • Microsoft Windows 10 Version1607 for x64-based Systems
    • Microsoft Windows 10 for 32-bitSystems
    • Microsoft Windows 10 forx64-based Systems
    • Microsoft Windows 10 version1511 for 32-bit Systems
    • Microsoft Windows 10 version1511 for x64-based Systems
    • Microsoft Windows 10 version1703 for 32-bit Systems
    • Microsoft Windows 10 version1703 for x64-based Systems
    • Microsoft Windows 7 for 32-bitSystems SP1
    • Microsoft Windows 7 for x64-basedSystems SP1
    • Microsoft Windows 8.1 for32-bit Systems
    • Microsoft Windows 8.1 forx64-based Systems
    • Microsoft Windows RT 8.1
  • Server operation systems

    • Microsoft Windows Server 2008R2 for Itanium-based Systems SP1
    • Microsoft Windows Server 2008R2 for x64-based Systems SP1
    • Microsoft Windows Server 2008for 32-bit Systems SP2
    • Microsoft Windows Server 2008for Itanium-based Systems SP2
    • Microsoft Windows Server 2008for x64-based Systems SP2
    • Microsoft Windows Server 2012
    • Microsoft Windows Server 2012R2
    • Microsoft Windows Server 2016

Vulnerability detection

Development or O&M personnel check whether the SMB Server is enabled and whether ports 445 and 139 are accessible to external users.

How to fix or mitigate

  • Disable the SMB Server or use the Internet inbound and intranet inbound security group policies to prohibit access to ports 445 and 139.

  • Install the patches released by Microsoft to fix the vulnerability. Click Check for updates in Windows Update, and then download and install patches related to your business. After installing the patches, restart the server and check the system running status.

  • Use Alibaba Cloud Security Server Guard to detect and fix this vulnerability.

Reference

[1]. https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11780
[2]. https://www.symantec.com/security_response/vulnerability.jsp?bid=101110&om_rssid=sr-advisories
[3]. http://www.securityfocus.com/bid/101110/info

Thank you! We've received your feedback.