• Support
  • Forums
  • Blogs

After 5.3.6 upgrade, seeing a lot of CVE-2017-0016 alarms

M.BartM.Bart

Applied this hotfix today and immediately started getting alarms for SMB Excessive Tree Connect Response - DoS Attempt (CVE-2017-0016). There isn't a whole lot available to look through on these, no references in the alarm and not a whole lot of interesting stuff could be found on a quick Google search.

My alarms seem to involve a variety of hosts and I'm suspecting this is simply a false positive post upgrade.

Has anyone else seen this occur or have any helpful insight into this alarm/bulletin?

Thanks in advance.

Share post:

Answers

  • We are as well on several clients. 
  • everyone should be seeing this, its essentially a zero day at this point that makes you vulnerable DOS using smb. there is no patch from microsoft yet so the only thing you can do is ensure the ports are blocked externally and write a temporary policy to suppress the alarms in USM
  • Also seeing this after applying 5.3.6.
  • Is there any further updates in whether this is to be expected?
  • Hey guys - this was caused by a new rule we added to our Threat Intelligence. We have already pushed a new version of the feed to prevent this from firing so much. Please make sure you have the latest version of Labs Threat Intelligence to prevent further noise 
Sign In or Register to comment.