📄 Description (English)
Microsoft Windows Server Message Block (SMBv1) Remote Code Execution Vulnerability — Microsoft Windows Server Message Block 1.0 (SMBv1) contains an unspecified vulnerability that allows for remote code execution.
🤖 AI Executive Summary
CVE-2017-0143 is a critical remote code execution vulnerability in Microsoft Windows SMBv1 (EternalBlue), which was infamously exploited by the WannaCry and NotPetya ransomware campaigns. With a CVSS score of 9.0 and publicly available exploit code (including Metasploit modules), this vulnerability allows unauthenticated attackers to execute arbitrary code on vulnerable Windows systems over port 445. Despite patches being available since March 2017 (MS17-010), unpatched systems remain a significant risk, particularly in legacy environments. This vulnerability continues to be one of the most actively exploited flaws in the wild and poses an extreme threat to any organization with exposed SMB services.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Apr 7, 2026 00:18
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability poses severe risk to Saudi organizations across all sectors. Banking institutions regulated by SAMA may have legacy Windows systems in branch networks. Government entities under NCA oversight, including ministries and public services, often maintain older Windows infrastructure. Energy sector organizations including ARAMCO and its subsidiaries may have operational technology (OT) environments with legacy Windows systems where SMBv1 is still enabled. Telecom providers like STC and healthcare organizations are also at high risk. Saudi Arabia was affected during the WannaCry outbreak in 2017, and any remaining unpatched systems represent critical exposure. The prevalence of Windows-based infrastructure across Saudi government and enterprise environments makes this vulnerability particularly dangerous, especially in air-gapped or isolated networks where patching cycles are slower.
🏢 Affected Saudi Sectors
Government
Banking
Energy
Healthcare
Telecom
Education
Defense
Transportation
Retail
⚖️ Saudi Risk Score (AI)
9.8
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Apply Microsoft security update MS17-010 (KB4012212, KB4012215, KB4012213, KB4012216, KB4012214, KB4012217) immediately on all Windows systems
2. Disable SMBv1 on all systems where it is not absolutely required: Set-SmpServerConfiguration -EnableSMB1Protocol $false
3. Block TCP port 445 at network perimeter firewalls and segment internal networks to restrict SMB traffic
4. Scan entire network for systems with port 445 open using tools like nmap: nmap -p 445 --script smb-vuln-ms17-010
DETECTION RULES:
5. Deploy IDS/IPS signatures for EternalBlue exploitation attempts (Snort SID: 41978, 42329-42332)
6. Monitor for unusual SMB traffic patterns, especially large volumes of SMB negotiation requests
7. Enable Windows Event logging for SMB connections and monitor for exploitation indicators
COMPENSATING CONTROLS:
8. For systems that cannot be patched immediately, implement network segmentation to isolate vulnerable hosts
9. Deploy endpoint detection and response (EDR) solutions with EternalBlue detection capabilities
10. Implement application whitelisting on critical servers to prevent unauthorized code execution
11. Ensure all Windows systems are upgraded to supported versions — Windows XP, Server 2003, and other EOL systems must be decommissioned
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تطبيق تحديث الأمان MS17-010 من Microsoft فوراً على جميع أنظمة Windows
2. تعطيل بروتوكول SMBv1 على جميع الأنظمة التي لا تحتاجه: Set-SmpServerConfiguration -EnableSMB1Protocol $false
3. حظر منفذ TCP 445 على جدران الحماية المحيطية وتقسيم الشبكات الداخلية لتقييد حركة SMB
4. فحص الشبكة بالكامل للبحث عن الأنظمة التي يكون فيها المنفذ 445 مفتوحاً باستخدام أدوات مثل nmap
قواعد الكشف:
5. نشر توقيعات IDS/IPS للكشف عن محاولات استغلال EternalBlue
6. مراقبة أنماط حركة SMB غير العادية خاصة الحجم الكبير من طلبات تفاوض SMB
7. تفعيل تسجيل أحداث Windows لاتصالات SMB ومراقبة مؤشرات الاستغلال
الضوابط التعويضية:
8. للأنظمة التي لا يمكن تصحيحها فوراً، تنفيذ تقسيم الشبكة لعزل الأجهزة المعرضة للخطر
9. نشر حلول كشف واستجابة نقاط النهاية (EDR) مع قدرات كشف EternalBlue
10. تطبيق القوائم البيضاء للتطبيقات على الخوادم الحرجة لمنع تنفيذ التعليمات البرمجية غير المصرح بها
11. ترقية جميع أنظمة Windows إلى إصدارات مدعومة وإيقاف الأنظمة منتهية الدعم
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
2-3-1 (Patch Management)
2-5-1 (Network Security)
2-2-1 (Asset Management)
2-6-1 (Vulnerability Management)
2-9-1 (Cybersecurity Incident Management)
🔵 SAMA CSF
3.3.3 (Patch Management)
3.3.4 (Vulnerability Management)
3.3.7 (Network Security Management)
3.4.1 (Cybersecurity Incident Management)
3.3.1 (Asset Management)
🟡 ISO 27001:2022
A.8.8 (Management of technical vulnerabilities)
A.8.20 (Networks security)
A.8.9 (Configuration management)
A.8.22 (Segregation of networks)
A.5.24 (Information security incident management planning)
🟣 PCI DSS v4.0
6.3.3 (Install critical security patches within one month)
11.3 (Penetration testing)
1.3 (Network access controls)
11.5 (Network intrusion detection)
🔗 References & Sources 0
No references.
📦 Affected Products / CPE 1 entries
Microsoft:Windows