CVE-2017-0148
Published: 17 March 2017
Summary
CVE-2017-0148 is a high-severity Improper Input Validation (CWE-20) vulnerability in Siemens Acuson P300 Firmware. Its CVSS base score is 8.1 (High).
Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-10 (Information Input Validation).
Deeper analysis
The vulnerability is an input validation flaw (CWE-20) in the SMBv1 server implementation on Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold/1511/1607, and Windows Server 2016. It permits remote code execution when the server processes specially crafted packets and is distinct from the related issues tracked as CVE-2017-0143 through CVE-2017-0146. The flaw received a CVSS v3.1 base score of 8.1 reflecting network attack vector, high complexity, and full impact on confidentiality, integrity, and availability.
Remote unauthenticated attackers can exploit the weakness over the network by sending malicious SMBv1 packets, achieving arbitrary code execution on the target system without requiring user interaction or credentials. Successful exploitation grants the attacker the ability to run code in the context of the SMB server process, potentially leading to full system compromise.
Public references primarily discuss DOUBLEPULSAR payload handling and related SMB remote code execution artifacts rather than official vendor mitigation steps. No explicit patch or configuration guidance is detailed in the provided sources.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2017-0515
Vulnerability details
The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016…
more
allows remote attackers to execute arbitrary code via crafted packets, aka "Windows SMB Remote Code Execution Vulnerability." This vulnerability is different from those described in CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, and CVE-2017-0146.
- CWE(s)
- KEV Date Added
- 06 April 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces validation of SMBv1 packet contents before processing, blocking the crafted input that triggers the RCE flaw.
Requires disabling SMBv1 (or any non-essential service) so the vulnerable server component is never exposed to network packets.
Boundary devices can block or restrict inbound SMB traffic, preventing unauthenticated remote attackers from reaching the flawed SMBv1 implementation.