Microsoft Security Bulletin MS17-010 - Security Update for Microsoft Windows SMB Server (4013389)

fieldj
fieldj used Ask the Experts™
on
Hi all,

I am sure that some people have been dealing with this recent security issue regarding disabling SMBv1.

Further details here:

https://www.us-cert.gov/ncas/current-activity/2017/01/16/SMB-Security-Best-Practices

Apparently this is now fixed by installing a Windows patch detailed in this Technet article (published March 14 2017):

https://technet.microsoft.com/library/security/MS17-010

However, I have noticed that even after installing this patch, a vulnerability scan on a test server is still reporting this vulnerability.  If I perform the manual reg key fix (detailed here: https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012 ) the vulnerability scan reports that the vulnerability has been removed.

My question is, does the Windows security patch detailed in article MS17-010 truly fix the issue? Does my vulnerability scan just need to update to realise that this patch resolves the issue (I dont think that an update has been available since Microsoft released this patch)?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Distinguished Expert 2018

Commented:
Hi.

"Does my vulnerability scan just need to update to realise that this patch resolves the issue" - that is very likely the cause. Ask the vendor of the scanner.

Author

Commented:
Lets hope this is the case.  I have already asked them and am awaiting a reply.

I would be interested to hear others experience with this vulnerability and whether the patch seems to have resolved it for them.
Distinguished Expert 2018
Commented:
You have to put into context that this has just very recently come out. Also make sure that your vulnerability scanner is up to date. As far as your scanner goes it comes down to exact what it's checking for. So while it's hoped that the MS patch did actually fix it, there is always that possibility that either a flaw remains of a slightly new issue got introduced. Unless you need to keep SMBv1, I'd say disable it. Otherwise, stay tuned within in news, because someone will hopefully find a way test for the vulnerability properly.
Distinguished Expert 2018
Commented:
With a vulnerability that notorious (SMB is file services), it would be more than odd if that patch wouldn't have fixed it. Vulnerability scanners will need to be updated to detect it, I don't think those scanners will detect it by actually exploiting it.
Distinguished Expert 2018
Commented:
Microsoft has been known to release patches only to have to release another one later. But that said, I'd be counting on a security researcher to try exploiting it in their own lab and reporting properly. My reference to testing the vulnerability wasn't about the scanners themselves, as much as someone releasing a tool to test. Much like the recent WebEx plugin fixes... one update was released and still found to be vulnerable, so another had to be released.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial