CVE-2017-0146
Published: 17 March 2017
Summary
CVE-2017-0146 is a high-severity an unspecified weakness vulnerability in Siemens Acuson P300 Firmware. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SC-7 (Boundary Protection).
Deeper analysis
The vulnerability is a remote code execution flaw in the SMBv1 server implementation across multiple Microsoft Windows versions, including Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold/1511/1607, and Windows Server 2016. It is triggered by specially crafted packets sent to the server and is distinct from the related issues tracked as CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, and CVE-2017-0148. The flaw received a CVSS 3.1 base score of 8.8.
Remote attackers with network access can leverage the vulnerability to execute arbitrary code on affected systems without requiring user interaction or elevated privileges beyond a valid SMB session. Successful exploitation grants full control over the target, enabling actions such as installing malware, exfiltrating data, or pivoting within a network.
Public references associate the issue with DOUBLEPULSAR payload execution and neutralization techniques, along with Siemens product security advisory SSA-701903 that addresses affected industrial systems. Additional tracking appears in SecurityFocus BID 96707 and SecurityTracker ID 1037991.
The listed exploit references indicate active interest in weaponization of the flaw shortly after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2017-0513
Vulnerability details
The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016…
more
allows remote attackers to execute arbitrary code via crafted packets, aka "Windows SMB Remote Code Execution Vulnerability." This vulnerability is different from those described in CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, and CVE-2017-0148.
- CWE(s)
- KEV Date Added
- 25 March 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the CVE by disabling the SMBv1 service (an unnecessary protocol) so crafted packets cannot reach the vulnerable server implementation.
Blocks inbound SMB traffic at network boundaries, preventing remote attackers from sending the crafted packets that trigger RCE in SMBv1.
Requires prompt installation of vendor patches that eliminate the SMBv1 remote code execution flaw before exploitation can occur.