TP-EXP-2017-0002 CVE-2017-0144 critical Patched Under Review

EternalBlue — SMBv1 Remote Code Execution (CVE-2017-0144)

CVE CVE-2017-0144 Platform Microsoft Windows SMBv1 (Windows XP through Server 2008 R2) Type Remote Code Execution

Severity CRITICAL

Status Patched

Zero-Day Confirmed

Disclosed April 14, 2017

Patched March 14, 2017

Researcher NSA / Equation Group (developed); Shadow Brokers (leaked) CISA KEV Listed

Severity Assessment

Exploitability: 10/10 — Unauthenticated remote exploitation over SMB (TCP 445), no user interaction required
Impact: 10/10 — Kernel-level code execution allows complete system compromise
Weaponization Risk: 10/10 — Public exploit code widely available; used in WannaCry, NotPetya, and multiple other campaigns
Patch Urgency: 10/10 — Patch available since March 2017; unpatched systems remain at critical risk
Detection Coverage: 7/10 — Network signatures available for EternalBlue exploitation attempts

Executive Summary

CVE-2017-0144 is a remote code execution vulnerability in Microsoft’s implementation of the Server Message Block version 1 (SMBv1) protocol. The vulnerability exists in the way the Windows SMB server handles certain transaction requests, allowing an unauthenticated attacker to send specially crafted packets to an SMBv1 server on TCP port 445 to achieve arbitrary code execution at the kernel level. The exploit targeting this vulnerability is known as EternalBlue.

EternalBlue was developed by the U.S. National Security Agency’s Tailored Access Operations (TAO) unit, also known as the Equation Group, and was part of the NSA’s offensive cyber toolkit for an indeterminate period before its public disclosure. On 14 April 2017, the Shadow Brokers hacking group publicly released EternalBlue as part of a larger dump of NSA tools. Microsoft had released a patch for the vulnerability one month earlier as part of security bulletin MS17-010 on 14 March 2017, suggesting the NSA may have notified Microsoft of the vulnerability prior to the Shadow Brokers leak.

The vulnerability affected all versions of Windows from XP through Server 2008 R2 that had not applied MS17-010. Following the Shadow Brokers release, EternalBlue was rapidly weaponized by multiple threat actors. It served as the primary propagation mechanism in both the WannaCry ransomware outbreak (May 2017) and the NotPetya wiper attack (June 2017), collectively causing an estimated $14-18 billion in global damages.

Exploit Chain

Stage 1: SMB Connection Establishment

The attacker establishes an SMB session with the target system on TCP port 445. No authentication is required — the vulnerability exists in the SMB negotiation and transaction handling code that executes before any authentication takes place.

Stage 2: Heap Grooming

The exploit sends a series of SMB transaction requests designed to arrange the Windows kernel heap in a predictable state. This heap grooming phase allocates and frees specific buffer sizes to create a contiguous layout of SMB buffer objects in the non-paged pool.

Stage 3: Buffer Overflow Trigger

A specially crafted SMB_COM_TRANSACTION2 request is sent with a malformed FEALIST field. The srv.sys driver miscalculates the required buffer size for the transaction, resulting in a heap-based buffer overflow. The overflow corrupts adjacent pool allocations, overwriting SRVNET buffer structures.

Stage 4: Kernel Code Execution

The corrupted SRVNET buffer structure contains a function pointer that is subsequently invoked by the SMB server. By controlling the overflow data, the attacker redirects execution to shellcode placed in the overflowed buffer region. This shellcode executes in kernel mode (Ring 0) with SYSTEM privileges.

Stage 5: Payload Deployment

The kernel shellcode typically installs the DoublePulsar backdoor — another NSA-developed implant that was leaked alongside EternalBlue. DoublePulsar provides a userland payload injection capability, allowing the attacker to inject arbitrary DLLs into running processes. In the WannaCry and NotPetya campaigns, this mechanism was used to inject the worm/ransomware payloads.

Detection Guidance

Network-based detection can identify EternalBlue exploitation attempts by monitoring for anomalous SMB traffic patterns. Specific indicators include:

SMB_COM_TRANSACTION2 requests with oversized FEALIST parameters
Multiple SMB transaction requests in rapid succession to a single host (characteristic of heap grooming)
SMB sessions that establish and immediately begin sending transaction requests without prior authentication
Unexpected SMB traffic between systems that do not normally communicate via file sharing

Snort/Suricata signature SIDs 41978, 42329, and 42340 detect EternalBlue exploitation attempts. IDS/IPS rules are available from Emerging Threats and vendor-specific rulesets.

Host-based detection should monitor for:

Blue screen of death (BSOD) events caused by failed exploitation attempts (common with older exploit versions)
Unexpected kernel driver loading or modification of srv.sys
DoublePulsar implant installation, detectable via a response to a specially crafted SMB ping transaction (opcode 0x23)
Creation of named pipes associated with DoublePulsar

Windows Event Logs may capture exploitation artifacts in the System log (Event ID 7036 for service state changes) and Security log (Event ID 4625 for failed logon attempts that precede some exploitation variants).

Indicators of Compromise

Network indicators:

Inbound connections to TCP port 445 from external IP addresses
SMB_COM_TRANSACTION2 packets with FEALIST fields exceeding 10,000 bytes
DoublePulsar check response: SMB_COM_TRANSACTION2 with multiplex ID incremented by 0x10 in response to trans2 SESSION_SETUP subcommand

Host indicators:

Presence of DoublePulsar backdoor (detectable via network probe or memory analysis)
Unexpected modifications to srv.sys or loading of unsigned kernel drivers
LSASS process injection from unknown parent processes
Creation of files with .WNCRY extension (WannaCry) or modification of MBR (NotPetya)

Log indicators:

Windows System Event Log: unexpected service crashes (Event ID 7034) for the Server service
Windows Application Event Log: application errors in svchost.exe hosting the LanmanServer service

Disclosure Timeline

2017-01-08 — Shadow Brokers Announce Auction

The Shadow Brokers group announced they possessed NSA exploitation tools and attempted to auction them. Initial attempts to sell the tools failed to attract sufficient bids.

2017-03-14 — Microsoft Releases MS17-010

Microsoft published security bulletin MS17-010, patching CVE-2017-0144 and five related SMBv1 vulnerabilities across supported Windows versions. The timing — one month before the Shadow Brokers release — suggests prior notification from the NSA.

2017-04-14 — Shadow Brokers Public Release

The Shadow Brokers released the “Lost in Translation” archive containing EternalBlue, DoublePulsar, and other NSA exploitation tools. The tools became freely available on the internet.

2017-05-12 — WannaCry Outbreak

The WannaCry ransomware worm used EternalBlue as its primary propagation mechanism, infecting over 230,000 systems in 150+ countries.

2017-06-27 — NotPetya Attack

The NotPetya wiper malware used EternalBlue alongside credential harvesting for lateral movement, causing an estimated $10 billion in global damages.

2022-02-10 — Added to CISA KEV Catalog

CISA added CVE-2017-0144 to the Known Exploited Vulnerabilities catalog, establishing federal remediation requirements.

Sources & References

NIST NVD: CVE-2017-0144 — NIST NVD, 2017-03-16
CISA: Known Exploited Vulnerabilities Catalog — CISA, 2021-11-03
Microsoft: Security Bulletin MS17-010 — Microsoft, 2017-03-14
MITRE ATT&CK: Exploitation of Remote Services (T1210) — MITRE, 2020-03-23