SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips
 

Vulnerability Note VU#32650

Denial of Service Attack in NetBIOS Services

Overview

The NetBIOS Name Service (NBNS) provides a means for hostname and address mapping on a NetBIOS-aware network. The NetBIOS over TCP/IP protocols (including NBNS) are described in the Internet Engineering Task Force (IETF) Request for Comments RFC1001 and RFC1002. These protocols do not specify a method for authenticating communications, and as such, machines running NetBIOS services are vulnerable to spoofing attacks.

NetBIOS is a set of defined software interfaces for vendor-independent PC networking and is primarily used on Microsoft Windows computers. NetBIOS is enabled by default on Windows95 and Windows98 machines.

I. Description

An attacker sending spoofed "Name Release" or "Name Conflict" messages to a victim machine could force the victim to remove its own (legitimate) name from its name table and not respond to (or initiate) other NetBIOS requests. This renders the victim unable to communicate with other NetBIOS hosts, thus resulting in a denial-of-service attack.

II. Impact

An attacker can cause a victim's machine to refuse all NetBIOS network traffic, resulting in a denial of service.

III. Solution

Block NetBIOS services at the the network perimeter. NetBIOS services include
  • NetBIOS Name Service, 137/tcp and 137/udp
  • NetBIOS Datagram Service, 138/tcp and 138/udp
  • NetBIOS Session Service, 139/tcp and 139/udp
    Note that this prevents external hosts from sending NetBIOS Name Service traffic to internal machines, but it does not prevent local users from exploiting this vulnerability.

    Furthermore, the CERT/CC recommends that sites, even those which do not use NetBIOS services, block all ports unless they are explicitly needed.
  • For Windows NT and Windows 2000, apply the patches recommended in Microsoft Security Bulletin MS00-047:
    Note that no patch is being furnished for Win9x systems; Microsoft has publicly stated that patching these systems to disable name conflict resolution would cause more problems than it would help prevent, especially in networks with large numbers of Win9x systems.

Related Documentation

Systems Affected
VendorStatusDate Updated
MicrosoftVulnerable3-Nov-2000

References


http://pr0n.newhackcity.net/~sd/nbname.html
http://pr0n.newhackcity.net/~sd/netbios.html
http://www.cultdeadcow.com
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0673
http://www.defcon.org
http://www.fcw.com/fcw/articles/2000/0731/web-defcon-08-02-00.asp
http://www.ietf.org/rfc/rfc1001.txt
http://www.ietf.org/rfc/rfc1002.txt
http://www.ietf.org/html.charters/ipsec-charter.html
http://www.microsoft.com/technet/security/bulletin/ms00-047.asp
http://www.microsoft.com/technet/security/bulletin/fq00-047.asp
http://www.microsoft.com/TechNet/security/ipsecimp.asp
http://www.pgp.com/research/covert/advisories/044.asp
http://www.securityfocus.com/bid/1514
http://www.securityfocus.com/bid/1515
http://www.securityfocus.com/tools/1670

Credit

This document was written by Jeffrey P. Lanza and Chad Dougherty.

Other Information

Date Public07/27/2000
Date First Published09/26/2000 06:46:43 PM
Date Last Updated11/29/2000
CERT Advisory 
CVE-ID(s)CVE-2000-0673
NVD-ID(s)CVE-2000-0673
US-CERT Technical Alerts 
Metric8.10
Document Revision8

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2000 Carnegie Mellon University
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader