Windows SMB高危漏洞再度来袭,安恒信息提供免费检测工具包
Windows SMB高危漏洞再度来袭,安恒信息提供免费检测工具包
Windows系统安全更新
2017年10月10日,微软发布了2017年10月安全更新公告,修补了多个高危漏洞,根据公告描述,受影响的系统从Windows Server 2008到Windows 10全部包含:
Windows 10 1703 Windows 10 1607 Windows Server 2016 Windows 10 1511 Windows 10 RTM Windows 8.1 Windows Server 2012 R2 Windows Server 2012 Windows 7 Windows Server 2008 R2 Windows Server 2008
软件更新摘要: https://portal.msrc.microsoft.com/zh-cn/security-guidance/summary 同时也包含客户端安全更新,特别是已经有在利用的Office漏洞: Internet Explorer Microsoft Edge Office SharePoint
漏洞可利用情况
根据公告,CVE-2017-11780的Windows SMB(SMBv1)远程代码执行漏洞攻击成功率很高,利用代码一旦公开可能会有恶意攻击者用来制造蠕虫传播;在局域网情形中CVE-2017-11771的Windows Search远程代码执行漏洞也是通过SMB连接远程触发,攻击成功后即可控制目标计算机;同时CVE-2017-11779的Windows DNSAPI远程执行代码漏洞,也可能受到攻击者建立的一台恶意DNS服务器的虚假响应而被攻击;而CVE-2017-11826的Microsoft Office内存损坏漏洞利用样本已经出现在攻击行动中,建议尽快安装安全更新补丁和采取相应的缓解措施保护系统安全运行。
影响版本范围
其中CVE-2017-11780的Windows SMB(SMBv1)远程代码执行漏洞影响如下系统版本: Windows 10 for 32-bit Systems Windows 10 for x64-based Systems Windows 10 Version 1511 for 32-bit Systems Windows 10 Version 1511 for x64-based Systems Windows 10 Version 1607 for 32-bit Systems Windows 10 Version 1607 for x64-based Systems Windows 10 Version 1703 for 32-bit Systems Windows 10 Version 1703 for x64-based Systems Windows 7 for 32-bit Systems Service Pack 1 Windows 7 for x64-based Systems Service Pack 1 Windows 8.1 for 32-bit systems Windows 8.1 for x64-based systems Windows RT 8.1 Windows Server 2008 for 32-bit Systems Service Pack 2 Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) Windows Server 2008 for Itanium-Based Systems Service Pack 2 Windows Server 2008 for x64-based Systems Service Pack 2 Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 Windows Server 2008 R2 for x64-based Systems Service Pack 1 Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) Windows Server 2012 Windows Server 2012 (Server Core installation) Windows Server 2012 R2 Windows Server 2012 R2 (Server Core installation) Windows Server 2016 Windows Server 2016 (Server Core installation) 微软更新指南: https://portal.msrc.microsoft.com/zh-cn/security-guidance/advisory/CVE-2017-11780 其中CVE-2017-11771的Windows Search远程代码执行漏洞影响如下系统版本: Windows 10 for 32-bit Systems Windows 10 for x64-based Systems Windows 10 Version 1511 for 32-bit Systems Windows 10 Version 1511 for x64-based Systems Windows 10 Version 1607 for 32-bit Systems Windows 10 Version 1607 for x64-based Systems Windows 10 Version 1703 for 32-bit Systems Windows 10 Version 1703 for x64-based Systems Windows 7 for 32-bit Systems Service Pack 1 Windows 7 for x64-based Systems Service Pack 1 Windows 8.1 for 32-bit systems Windows 8.1 for x64-based systems Windows RT 8.1 Windows Server 2008 for 32-bit Systems Service Pack 2 Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) Windows Server 2008 for Itanium-Based Systems Service Pack 2 Windows Server 2008 for x64-based Systems Service Pack 2 Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 Windows Server 2008 R2 for x64-based Systems Service Pack 1 Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) Windows Server 2012 Windows Server 2012 (Server Core installation) Windows Server 2012 R2 Windows Server 2012 R2 (Server Core installation) Windows Server 2016 Windows Server 2016 (Server Core installation) 微软更新指南: https://portal.msrc.microsoft.com/zh-cn/security-guidance/advisory/CVE-2017-11771 其中CVE-2017-11779的Windows DNSAPI远程执行代码漏洞影响如下系统版本: Windows 10 for 32-bit Systems Windows 10 for x64-based Systems Windows 10 Version 1511 for 32-bit Systems Windows 10 Version 1511 for x64-based Systems Windows 10 Version 1607 for 32-bit Systems Windows 10 Version 1607 for x64-based Systems Windows 10 Version 1703 for 32-bit Systems Windows 10 Version 1703 for x64-based Systems Windows 8.1 for 32-bit systems Windows 8.1 for x64-based systems Windows RT 8.1 Windows Server 2012 Windows Server 2012 (Server Core installation) Windows Server 2012 R2 Windows Server 2012 R2 (Server Core installation) Windows Server 2016 Windows Server 2016 (Server Core installation) 微软更新指南: https://portal.msrc.microsoft.com/zh-cn/security-guidance/advisory/CVE-2017-11779 其中CVE-2017-11826的Microsoft Office内存损坏漏洞影响如下Office版本: Microsoft Office Compatibility Pack Service Pack 3 Microsoft Office Online Server 2016 Microsoft Office Web Apps Server 2010 Service Pack 2 Microsoft Office Web Apps Server 2013 Service Pack 1 Microsoft Office Word Viewer Microsoft SharePoint Enterprise Server 2016 Microsoft Word 2007 Service Pack 3 Microsoft Word 2010 Service Pack 2 (32-bit editions) Microsoft Word 2010 Service Pack 2 (64-bit editions) Microsoft Word 2013 RT Service Pack 1 Microsoft Word 2013 Service Pack 1 (32-bit editions) Microsoft Word 2013 Service Pack 1 (64-bit editions) Microsoft Word 2016 (32-bit edition) Microsoft Word 2016 (64-bit edition) Word Automation Services(Microsoft SharePoint Server 2013 Service Pack 1) Word Automation Services(Microsoft SharePoint Server 2010 Service Pack 2) 微软更新指南: https://portal.msrc.microsoft.com/zh-cn/security-guidance/advisory/CVE-2017-11826
缓解措施(安全应急建议等)
紧急:目前攻击代码已经出现强烈建议尽快安装安全更新补丁
优先措施:个人电脑开启防火墙拦截外部访问本机TCP445端口,服务器开启安全策略限制指定IP访问本机TCP445端口。 补丁更新:可以通过系统自带的更新功能打补丁,也可以单独安装具体的补丁,对应版本参考如下微软更新指南: https://portal.msrc.microsoft.com/zh-cn/security-guidance/advisory/CVE-2017-11780 https://portal.msrc.microsoft.com/zh-cn/security-guidance/advisory/CVE-2017-11771 https://portal.msrc.microsoft.com/zh-cn/security-guidance/advisory/CVE-2017-11779 https://portal.msrc.microsoft.com/zh-cn/security-guidance/advisory/CVE-2017-11826 找到对应的系统版本,点击“Security Update”即可下载单独的补丁。 安全配置:如果某些特殊环境下的系统不方便打补丁,可以参考如下安全配置进行变通处理。 针对CVE-2017-11780的Windows SMB(SMBv1)远程代码执行漏洞,可以参考如何在 Windows 和 Windows Server 中启用和禁用SMBv1、SMBv2和SMBv3的指南: https://support.microsoft.com/zh-cn/help/2696547/how-to-detect-enable-and-disable-smbv1-smbv2-and-smbv3-in-windows-and CVE-2017-11771的Windows Search远程代码执行漏洞,可以参考禁用WSearch服务的方法: https://portal.msrc.microsoft.com/zh-cn/security-guidance/advisory/CVE-2017-11771 安全应急建议:Windows SMB的漏洞在历史上出现过严重蠕虫传播攻击,强烈建议尽快更新安全补丁和继续关注安全威胁动态。
安恒信息第一时间开发了用于检测上述漏洞的工具包。用户可通过以下链接免费下载:
http://www.dbappsecurity.com.cn/file/tools.zip
将工具包下载到本地并解压后,在电脑上双击运行文件就可以检测您的系统是否存在上述漏洞。运行结果如下图所示说明您已安装过补丁,不受漏洞影响,否则,请尽快安装KB4041676补丁。
