📄 Description (English)
Microsoft Windows SMBv1 Information Disclosure Vulnerability — The SMBv1 server in Microsoft Windows allows remote attackers to obtain sensitive information from process memory via a crafted packet.
🤖 AI Executive Summary
CVE-2017-0147 is a critical information disclosure vulnerability in Microsoft Windows SMBv1 (Server Message Block version 1) that allows remote attackers to extract sensitive information from process memory via specially crafted packets. This vulnerability is part of the EternalRomance/EternalChampion exploit chain leaked by the Shadow Brokers from NSA tools, and was actively exploited in the wild alongside EternalBlue (CVE-2017-0144) during the WannaCry and NotPetya ransomware campaigns. With a CVSS score of 9.0 and public exploits readily available, this vulnerability poses an extreme risk to any organization still running unpatched Windows systems with SMBv1 enabled. Despite patches being available since March 2017 (MS17-010), legacy systems in many organizations remain vulnerable.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Apr 7, 2026 02:34
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability poses significant risk across all Saudi sectors due to the widespread use of Windows systems. Banking sector (SAMA-regulated): Legacy Windows systems in branch offices and ATM networks could be exploited for lateral movement and data exfiltration. Government sector (NCA-regulated): Many government agencies still operate legacy Windows systems that may have SMBv1 enabled. Energy sector (ARAMCO, SABIC): Industrial control system networks often contain legacy Windows machines with SMBv1, making them prime targets. Healthcare: Hospital networks with legacy medical devices running older Windows versions are particularly vulnerable. Telecom (STC, Mobily, Zain): Internal infrastructure and customer-facing systems could be compromised. This vulnerability was weaponized in the Shamoon 2.0 attacks that specifically targeted Saudi Arabian organizations, making it especially relevant to the Saudi threat landscape.
🏢 Affected Saudi Sectors
Government
Banking
Energy
Healthcare
Telecommunications
Defense
Education
Transportation
Retail
⚖️ Saudi Risk Score (AI)
9.5
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Apply Microsoft Security Bulletin MS17-010 immediately on all Windows systems (patches available for Windows Vista through Windows Server 2016)
2. Disable SMBv1 on all systems where it is not absolutely required:
- PowerShell: Set-SmbServerConfiguration -EnableSMB1Protocol $false
- Windows Features: Disable 'SMB 1.0/CIFS File Sharing Support'
3. Block SMB traffic (TCP ports 445, 139 and UDP ports 137, 138) at network perimeter firewalls
DETECTION:
4. Deploy IDS/IPS signatures for EternalRomance/EternalChampion exploit attempts
5. Monitor for anomalous SMB traffic patterns using Snort/Suricata rules (sid:41978, sid:42329)
6. Scan internal networks for systems with SMBv1 enabled: nmap --script smb-protocols -p445
7. Review Windows Event Logs for suspicious SMB authentication attempts
COMPENSATING CONTROLS:
8. Implement network segmentation to isolate legacy systems that cannot be patched
9. Deploy host-based firewalls to restrict SMB access to authorized systems only
10. Enable Windows Defender Credential Guard where supported
11. Implement micro-segmentation for critical assets
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تطبيق تحديث الأمان MS17-010 من Microsoft فوراً على جميع أنظمة Windows
2. تعطيل بروتوكول SMBv1 على جميع الأنظمة التي لا تحتاجه:
- PowerShell: Set-SmbServerConfiguration -EnableSMB1Protocol $false
- ميزات Windows: تعطيل 'SMB 1.0/CIFS File Sharing Support'
3. حظر حركة مرور SMB (منافذ TCP 445 و139 ومنافذ UDP 137 و138) على جدران الحماية الخارجية
الكشف والمراقبة:
4. نشر توقيعات IDS/IPS للكشف عن محاولات استغلال EternalRomance/EternalChampion
5. مراقبة أنماط حركة مرور SMB غير الطبيعية باستخدام قواعد Snort/Suricata
6. فحص الشبكات الداخلية للأنظمة التي تعمل بـ SMBv1: nmap --script smb-protocols -p445
7. مراجعة سجلات أحداث Windows للكشف عن محاولات مصادقة SMB المشبوهة
الضوابط التعويضية:
8. تنفيذ تجزئة الشبكة لعزل الأنظمة القديمة التي لا يمكن تحديثها
9. نشر جدران حماية على مستوى المضيف لتقييد وصول SMB للأنظمة المصرح لها فقط
10. تفعيل Windows Defender Credential Guard حيثما أمكن
11. تنفيذ التجزئة الدقيقة للأصول الحرجة
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2-3-1 (Patch Management)
ECC 2-5-1 (Network Security)
ECC 2-3-4 (Vulnerability Management)
ECC 2-2-1 (Asset Management)
ECC 2-5-3 (Network Segmentation)
🔵 SAMA CSF
SAMA CSF 3.3.3 (Patch Management)
SAMA CSF 3.3.5 (Vulnerability Management)
SAMA CSF 3.4.1 (Network Security Management)
SAMA CSF 3.4.4 (Network Segmentation)
SAMA CSF 3.1.3 (Information Asset Management)
🟡 ISO 27001:2022
A.8.8 (Management of Technical Vulnerabilities)
A.8.9 (Configuration Management)
A.8.20 (Networks Security)
A.8.21 (Security of Network Services)
A.8.22 (Segregation of Networks)
🟣 PCI DSS v4.0
PCI DSS 6.3.3 (Install Critical Security Patches Within One Month)
PCI DSS 1.3 (Network Segmentation)
PCI DSS 11.3 (Vulnerability Scanning)
PCI DSS 2.2.2 (Disable Unnecessary Services)
🔗 References & Sources 0
No references.
📦 Affected Products / CPE 1 entries
Microsoft:SMBv1 server