What Is SMBv1?
Server Message Block version 1 (SMBv1) is the original Windows file sharing protocol on TCP port 445. The MS17-010 vulnerability family (CVE-2017-0143 through 0148) encompasses both remote code execution (RCE) and information disclosure vulnerabilities in SMBv1. CVE-2017-0147 is the information disclosure member of this family — while it does not directly enable code execution, it plays a critical role in exploit chains by defeating Windows kernel ASLR before the companion RCE exploits are applied.
Overview
CVE-2017-0147 is an information disclosure vulnerability in the Windows SMBv1 server that allows an unauthenticated remote attacker to obtain sensitive information from process memory via a specially crafted SMBv1 packet. Unlike the companion RCE vulnerabilities in MS17-010, CVE-2017-0147 targets confidentiality — leaking server process memory that contains kernel addresses, enabling ASLR bypass before exploiting the companion code execution vulnerabilities. Patched in MS17-010 (March 14, 2017). CISA added CVE-2017-0147 to the KEV catalog in May 2022.
Affected Versions
| Windows Version | Status |
|---|---|
| Windows Vista SP2 through Windows 10 1703 | Vulnerable |
| Windows Server 2008 through 2016 | Vulnerable |
| All above with MS17-010 applied | Fixed |
Technical Details
Root Cause: SMBv1 Server Memory Disclosure
CVE-2017-0147 is an information disclosure vulnerability (CWE-200) in the Windows SMBv1 server kernel driver (srv.sys). When processing a crafted SMBv1 packet, the server generates a response that includes kernel memory contents beyond the intended response data — similar in concept to the Heartbleed vulnerability in OpenSSL, but via the SMBv1 protocol.
Key characteristics:
PR:N(No authentication required): Unlike the RCE CVEs in MS17-010 (which require low-privilege NULL session access), CVE-2017-0147 is fully unauthenticated — any attacker who can reach port 445 can trigger the memory disclosure- Kernel memory in response: The leaked memory comes from the srv.sys kernel driver's memory space, potentially containing pointer values that reveal kernel module base addresses
- ASLR bypass value: Reading kernel pointers from the SMBv1 response reveals the address space layout of the Windows kernel, enabling reliable exploitation of companion buffer overflow vulnerabilities that need exact kernel addresses for their ROP chains
Role in the MS17-010 exploit chain: The Equation Group's exploit toolkit likely used CVE-2017-0147 as a first step before CVE-2017-0143/0145/0146/0148 code execution — the information disclosure reveals kernel addresses, then the RCE exploit uses those addresses for reliable code execution. This is the standard information disclosure + code execution pairing in modern kernel exploitation.
Attack Characteristics
| Attribute | Detail |
|---|---|
| Attack Vector | Network — TCP port 445 (SMBv1) |
| Authentication | None required |
| Information Disclosed | Server kernel process memory |
| Role | ASLR bypass before companion RCE exploits |
| Impact | Confidentiality only (no direct code execution) |
Discovery
Developed by the NSA's Equation Group as part of the MS17-010 exploit toolkit; publicly disclosed when Shadow Brokers published the toolkit on April 14, 2017.
Exploitation Context
- ASLR bypass in exploit chain: CVE-2017-0147 was used as the ASLR bypass step in sophisticated MS17-010 exploitation — before using the code execution vulnerabilities, the attacker first uses CVE-2017-0147 to leak kernel memory and determine exact addresses for the ROP chain
- Unauthenticated reconnaissance: The
PR:Ncharacteristic makes CVE-2017-0147 a stealthier reconnaissance tool than the RCE variants — an attacker can probe SMBv1 memory and gather ASLR information without establishing an authenticated SMB session that might generate authentication log events - Ransomware/malware use: The
ransomwareUse: trueflag reflects that ransomware operators using MS17-010 relied on the full toolkit including CVE-2017-0147 for reliable exploitation against diverse Windows targets - CISA KEV (2022): Added May 2022 as part of the ongoing MS17-010 family KEV additions
Remediation
-
Apply MS17-010 — install the March 2017 Windows SMB Server security update.
-
Disable SMBv1 — disable the SMBv1 protocol on all systems:
Set-SmbServerConfiguration -EnableSMB1Protocol $false -
Block TCP port 445 from internet and untrusted networks — CVE-2017-0147 requires no authentication; the only network-level mitigation is blocking SMBv1 access.
-
Segment internal networks — prevent SMBv1 traffic from reaching sensitive servers from general corporate or untrusted VLANs.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2017-0147 |
| Vendor / Product | Microsoft — SMBv1 server |
| NVD Published | 2017-03-17 |
| NVD Last Modified | 2025-10-22 |
| CVSS 3.1 Score | 7.5 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
| Severity | HIGH |
| CWE | CWE-200 — Exposure of Sensitive Information to an Unauthorized Actor find similar ↗ |
| CISA KEV Added | 2022-05-24 |
| CISA KEV Deadline | 2022-06-14 |
| Known Ransomware Use | ⚠️ Yes |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2017-03-14 | Microsoft releases MS17-010 patching CVE-2017-0147 and related SMBv1 vulnerabilities |
| 2017-03-17 | CVE-2017-0147 published by NVD |
| 2017-04-14 | Shadow Brokers publish NSA Equation Group tools including ERRATICGOPHER associated with SMBv1 memory disclosure |
| 2022-05-24 | Added to CISA Known Exploited Vulnerabilities catalog |
| 2022-06-14 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| NVD — CVE-2017-0147 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |
| MS17-010 — Security Update for Windows SMB Server (March 2017) | Vendor Advisory |