Microsoft Windows SMB2 Remote Code Execution Vulnerability on Windows 2012 R2


#1

I scan all my systems on Windows 2012 R2 and 2016, and I have this vulnerability discovered.
I don’t understand because they are all patched for a long time.
I’ve tried the nmap exploit : smb-vuln-ms17-010.nse and all seems to be OK, the same using a PowerShell script : Verify_MS17-010.PS1

The VT is :

slight_smile:

Summary

Microsoft Windows is prone to a remote code-execution vulnerability when processing the protocol headers for the Server Message Block (SMB) Negotiate Protocol Request. NOTE: Reportedly, for this issue to be exploitable, file sharing must be enabled.

Detection Result

Vulnerability was detected according to the Detection Method.

Detection Method

Opens a TCP socket to send a crafted request and checks if the host responds to a second request after a few seconds.

Details: [Microsoft Windows SMB2 ‘_Smb2ValidateProviderCallback()’ Remote Code E… OID: 1.3.6.1.4.1.25623.1.0.100283]
Version used: 2019-01-22T10:51:16+01:00

Affected Software/OS

Windows 7 RC, Vista and 2008 Server are vulnerable, other versions may also be affected. NOTE: Reportedly, Windows XP and 2000 are not affected. UPDATE (September 9, 2009): Symantec has confirmed the issue on Windows Vista SP1 and Windows Server 2008.

Impact

An attacker can exploit this issue to execute code with SYSTEM-level privileges. failed exploit attempts will likely cause denial-of-service conditions.

Solution

Solution Type:

Vendorfix

Microsoft has released updates to fix the issue. Please see the references for more information.

References

Can you help me,is it a false positive ?

Thanks


#2

Something similar when using scan configurations which are doing active denial of service attacks have been discussed most recently in the following two topics:


#3

Hi ,

Thank you for your answer, I don’t use anymore Ultimate scans from inside the company, and have no more alerts.

Regards