新闻快讯
< >

CVE-2017-11780: Windows SMB安全漏洞预警

CVE-2017-11780: Windows SMB安全漏洞预警-E安全

Windows系统安全更新

2017年10月10日,微软发布了2017年10月安全更新公告,修补了多个高危漏洞,根据公告描述受影响的系统从Windows Server 2008到Windows 10都包含:
Windows 10 1703
Windows 10 1607
Windows Server 2016
Windows 10 1511
Windows 10 RTM
Windows 8.1
Windows Server 2012 R2
Windows Server 2012
Windows 7
Windows Server 2008 R2
Windows Server 2008

软件更新摘要:
https://portal.msrc.microsoft.com/zh-cn/security-guidance/summary

同时也包含客户端安全更新,特别是已经有在利用的Office漏洞:
Internet Explorer
Microsoft Edge
Office
SharePoint

漏洞可利用情况

根据公告,CVE-2017-11780的Windows SMB(SMBv1)远程代码执行漏洞攻击成功率很高,利用代码一旦公开可能会有恶意攻击者用来制造蠕虫传播;在局域网情形中CVE-2017-11771的Windows Search远程代码执行漏洞也是通过SMB连接远程触发,攻击成功后即可控制目标计算机;同时CVE-2017-11779的Windows DNSAPI远程执行代码漏洞,也可能受到攻击者建立的一台恶意DNS服务器的虚假响应而被攻击;而CVE-2017-11826的Microsoft Office内存损坏漏洞利用样本已经出现在攻击行动中,建议尽快安装安全更新补丁和采取相应的缓解措施保护系统安全运行。

影响版本范围

其中CVE-2017-11780的Windows SMB(SMBv1)远程代码执行漏洞影响如下系统版本:
Windows 10 for 32-bit Systems
Windows 10 for x64-based Systems
Windows 10 Version 1511 for 32-bit Systems
Windows 10 Version 1511 for x64-based Systems
Windows 10 Version 1607 for 32-bit Systems
Windows 10 Version 1607 for x64-based Systems
Windows 10 Version 1703 for 32-bit Systems
Windows 10 Version 1703 for x64-based Systems
Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems Service Pack 1
Windows 8.1 for 32-bit systems
Windows 8.1 for x64-based systems
Windows RT 8.1
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
Windows Server 2008 for Itanium-Based Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
Windows Server 2012
Windows Server 2012 (Server Core installation)
Windows Server 2012 R2
Windows Server 2012 R2 (Server Core installation)
Windows Server 2016
Windows Server 2016 (Server Core installation)
微软更新指南:

https://portal.msrc.microsoft.com/zh-cn/security-guidance/advisory/CVE-2017-11780

其中CVE-2017-11771的Windows Search远程代码执行漏洞影响如下系统版本:
Windows 10 for 32-bit Systems
Windows 10 for x64-based Systems
Windows 10 Version 1511 for 32-bit Systems
Windows 10 Version 1511 for x64-based Systems
Windows 10 Version 1607 for 32-bit Systems
Windows 10 Version 1607 for x64-based Systems
Windows 10 Version 1703 for 32-bit Systems
Windows 10 Version 1703 for x64-based Systems
Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems Service Pack 1
Windows 8.1 for 32-bit systems
Windows 8.1 for x64-based systems
Windows RT 8.1
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
Windows Server 2008 for Itanium-Based Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
Windows Server 2012
Windows Server 2012 (Server Core installation)
Windows Server 2012 R2
Windows Server 2012 R2 (Server Core installation)
Windows Server 2016
Windows Server 2016 (Server Core installation)
微软更新指南:
https://portal.msrc.microsoft.com/zh-cn/security-guidance/advisory/CVE-2017-11771

其中CVE-2017-11779的Windows DNSAPI远程执行代码漏洞影响如下系统版本:
Windows 10 for 32-bit Systems
Windows 10 for x64-based Systems
Windows 10 Version 1511 for 32-bit Systems
Windows 10 Version 1511 for x64-based Systems
Windows 10 Version 1607 for 32-bit Systems
Windows 10 Version 1607 for x64-based Systems
Windows 10 Version 1703 for 32-bit Systems
Windows 10 Version 1703 for x64-based Systems
Windows 8.1 for 32-bit systems
Windows 8.1 for x64-based systems
Windows RT 8.1
Windows Server 2012
Windows Server 2012 (Server Core installation)
Windows Server 2012 R2
Windows Server 2012 R2 (Server Core installation)
Windows Server 2016
Windows Server 2016 (Server Core installation)
微软更新指南:
https://portal.msrc.microsoft.com/zh-cn/security-guidance/advisory/CVE-2017-11779

其中CVE-2017-11826的Microsoft Office内存损坏漏洞影响如下Office版本:
Microsoft Office Compatibility Pack Service Pack 3    
Microsoft Office Online Server 2016    
Microsoft Office Web Apps Server 2010 Service Pack 2    
Microsoft Office Web Apps Server 2013 Service Pack 1    
Microsoft Office Word Viewer    
Microsoft SharePoint Enterprise Server 2016    
Microsoft Word 2007 Service Pack 3    
Microsoft Word 2010 Service Pack 2 (32-bit editions)    
Microsoft Word 2010 Service Pack 2 (64-bit editions)    
Microsoft Word 2013 RT Service Pack 1    
Microsoft Word 2013 Service Pack 1 (32-bit editions)    
Microsoft Word 2013 Service Pack 1 (64-bit editions)    
Microsoft Word 2016 (32-bit edition)    
Microsoft Word 2016 (64-bit edition)    
Word Automation Services(Microsoft SharePoint Server 2013 Service Pack 1)
Word Automation Services(Microsoft SharePoint Server 2010 Service Pack 2)
微软更新指南:
https://portal.msrc.microsoft.com/zh-cn/security-guidance/advisory/CVE-2017-11826

缓解措施(安全应急建议等)

紧急:目前攻击代码已经出现强烈建议尽快安装安全更新补丁


优先措施:个人电脑开启防火墙拦截外部访问本机TCP445端口,服务器开启安全策略限制指定IP访问本机TCP445端口。

补丁更新:可以通过系统自带的更新功能打补丁,也可以单独安装具体的补丁,对应版本参考如下微软更新指南:
https://portal.msrc.microsoft.com/zh-cn/security-guidance/advisory/CVE-2017-11780 
https://portal.msrc.microsoft.com/zh-cn/security-guidance/advisory/CVE-2017-11771 
https://portal.msrc.microsoft.com/zh-cn/security-guidance/advisory/CVE-2017-11779 
https://portal.msrc.microsoft.com/zh-cn/security-guidance/advisory/CVE-2017-11826 
找到对应的系统版本,点击“Security Update”即可下载单独的补丁。

安全配置:如果某些特殊环境下的系统不方便打补丁,可以参考如下安全配置进行变通处理。
针对CVE-2017-11780的Windows SMB(SMBv1)远程代码执行漏洞,可以参考如何在 Windows 和 Windows Server 中启用和禁用SMBv1、SMBv2和SMBv3的指南:
https://support.microsoft.com/zh-cn/help/2696547/how-to-detect-enable-and-disable-smbv1-smbv2-and-smbv3-in-windows-and 
CVE-2017-11771的Windows Search远程代码执行漏洞,可以参考禁用WSearch服务的方法:
https://portal.msrc.microsoft.com/zh-cn/security-guidance/advisory/CVE-2017-11771 

安全应急建议:Windows SMB的漏洞在历史上出现过严重蠕虫传播攻击,强烈建议尽快更新安全补丁和继续关注安全威胁动态。