Ms17-010

Vulnerability updated 5 months ago (2024-05-04T20:18:27.869Z)
Download STIX
Preview STIX
MS17-010, also known as EternalBlue, EternalSynergy, or EternalRomance, is a significant remote code execution vulnerability in Microsoft's Server Message Block 1.0 (SMBv1) protocol. This flaw in software design and implementation was exploited by various malware strains, most notably the WannaCry ransomware, which propagated itself by exploiting this specific vulnerability. The exploit allowed malicious actors to execute arbitrary code on the target system, thereby gaining control over it. The systems particularly susceptible to MS17-010 included Windows XP with Service Pack 2 and 3, Windows 7 64 bit with Service Pack 1, and Windows Server 2008 with Service Pack 1. Microsoft released security bulletin MS17-010 on March 14, 2017, introducing a patch to address the EternalBlue exploit. However, despite the availability of the patch, numerous systems worldwide remained unpatched and vulnerable, leading to widespread infections. The WannaCry ransomware, for example, used this vulnerability as its primary method of propagation. Once inside a network, the worm-like ransomware would attempt to connect to other hosts via port 445, and if successful, exploit the MS17-010 vulnerability to infect those systems as well. In testing scenarios, if a host was found to be vulnerable to MS17-010, the worm would wait for three seconds and then check if it was already infected with DOUBLEPULSAR, another exploit developed by the Shadow Brokers group. For the worm to replicate itself, it required an active DOUBLEPULSAR backdoor to be installed on the host. The presence of such sophisticated exploits underscores the importance of timely system updates and patches to mitigate the risk of such vulnerabilities.
Description last updated: 2024-05-04T19:43:59.298Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Eternalblue is a possible alias for Ms17-010. EternalBlue is a software vulnerability that exists due to a flaw in the design or implementation of the Windows Server Message Block (SMB). This vulnerability, officially known as CVE-2017-0144, was made public after the Shadow Brokers group leaked an exploit developed by the U.S. National Security
5
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Windows
Exploit
Vulnerability
Worm
Remote Code ...
Exploits
Ransomware
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The WannaCry Malware is associated with Ms17-010. WannaCry, a potent malware, emerged as one of the most destructive cyberattacks in recent history when it struck in May 2017. Leveraging Windows SMBv1 Remote Code Execution vulnerabilities (CVE-2017-0144, CVE-2017-0145, and CVE-2017-0143), WannaCry rapidly spread across systems worldwide, encryptingUnspecified
4
Source Document References
Information about the Ms17-010 Vulnerability was read from the documents corpus below. This display is limited to 20 results, create a free account to see more