CVE-2017-8543

What Is Windows Search Service?

The Windows Search Service (WSearch) provides fast file and content indexing and search across Windows systems. It runs as a service with elevated privileges and processes file content from the local filesystem and network locations. The Windows Search service also processes SMB-based search requests — allowing remote machines on the same network to query the search index. This network-accessible surface makes CVE-2017-8543 exploitable without any user interaction: an attacker on the network can send a crafted SMB message to the Windows Search service and achieve code execution.

Overview

CVE-2017-8543 is a critical remote code execution vulnerability in the Windows Search service. When Windows Search handles objects in memory improperly during processing of a specially crafted SMB message, an attacker on the network can execute arbitrary code on the target system with the privileges of the Windows Search service. The AV:N/PR:N/UI:N characteristics (CRITICAL 9.8) indicate this is fully remotely exploitable without authentication or user interaction, making it a severe network-level vulnerability. Fixed in the June 2017 Patch Tuesday security update. CISA added CVE-2017-8543 to the KEV catalog in May 2022.

Affected Versions

Windows Vista through Windows 10 and Windows Server 2008 through 2016 with the Windows Search service running. See Microsoft Security Advisory for specific affected OS versions.

Technical Details

Root Cause: Memory Corruption in Windows Search Service

CVE-2017-8543 is a memory corruption vulnerability (CWE-119) in the Windows Search service (SearchIndexer.exe). The service fails to properly handle objects in memory when processing certain SMB messages — specifically, crafted messages sent to the Windows Search service's SMB communication channel can trigger heap corruption or out-of-bounds access, leading to code execution.

Network-accessible attack surface: The Windows Search service processes SMB-based queries from remote machines on the same network segment. An attacker can send crafted SMB messages directly to the service without authenticating, triggering the memory corruption and achieving code execution as the SearchIndexer.exe process user.

Exploitation Context

• Post-EternalBlue context: CVE-2017-8543 was patched in June 2017 — one month after WannaCry/EternalBlue devastated unpatched organizations; it represents a second critical network-accessible Windows vulnerability in the SMB ecosystem within a short period
• Lateral movement tool: Network-accessible Windows service vulnerabilities are prime tools for lateral movement within enterprise networks; once an attacker has a foothold on a network, CVE-2017-8543 enables pivoting to adjacent Windows hosts without credentials
• Enterprise SMB exposure: Enterprise networks with flat Layer 2 segments allow SMB traffic between all hosts; in such environments, CVE-2017-8543 would allow any compromised host to attack all adjacent Windows machines
• CISA KEV (2022): Added May 24, 2022 reflecting exploitation of Windows Search service vulnerabilities in targeted campaigns

Remediation

1. Apply June 2017 Patch Tuesday updates — install Microsoft security updates from June 2017 (or any subsequent cumulative update for Windows 10/11); modern Windows systems with automatic updates should already have this patch.

2. Disable Windows Search service if not required — if full-text search functionality is not needed, disable the Windows Search service (sc stop WSearch; sc config WSearch start= disabled) to eliminate the attack surface entirely.

3. Block SMB at the network perimeter — ensure TCP 445 (SMB) is blocked at the internet perimeter; this is a fundamental baseline control that prevents multiple Windows vulnerabilities from being exploited remotely.

4. Implement network segmentation — use firewall rules and VLAN segmentation to restrict SMB traffic to only required paths; prevent arbitrary host-to-host SMB communication within the internal network to limit lateral movement potential.

5. Apply Windows security baselines — use Microsoft's Security Compliance Toolkit baselines which restrict unnecessary Windows services and network protocols, reducing the attack surface against vulnerabilities like CVE-2017-8543.