Vulnerability Note VU#32650
Denial of Service Attack in NetBIOS Services
Overview
The NetBIOS Name Service (NBNS) provides a means for hostname and address mapping on a NetBIOS-aware network. The NetBIOS over TCP/IP protocols (including NBNS) are described in the Internet Engineering Task Force (IETF) Request for Comments RFC1001 and RFC1002. These protocols do not specify a method for authenticating communications, and as such, machines running NetBIOS services are vulnerable to spoofing attacks.
NetBIOS is a set of defined software interfaces for vendor-independent PC networking and is primarily used on Microsoft Windows computers. NetBIOS is enabled by default on Windows95 and Windows98 machines.
Description
An attacker sending spoofed "Name Release" or "Name Conflict" messages to a victim machine could force the victim to remove its own (legitimate) name from its name table and not respond to (or initiate) other NetBIOS requests. This renders the victim unable to communicate with other NetBIOS hosts, thus resulting in a denial-of-service attack. |
Impact
An attacker can cause a victim's machine to refuse all NetBIOS network traffic, resulting in a denial of service. |
Solution
Block NetBIOS services at the the network perimeter. NetBIOS services include
Furthermore, the CERT/CC recommends that sites, even those which do not use NetBIOS services, block all ports unless they are explicitly needed.
http://www.microsoft.com/technet/security/bulletin/fq00-047.asp
|
Related Documentation For additional information on securing Windows systems, see the following CERT/CC Tech Tips: Windows 95/98 Computer Security Information Windows NT Configuration Guidelines Windows NT Security and Configuration Resources RFC 1001, "Protocol Standard for a NetBIOS Service on a TCP/UDP Transport: Concepts and Methods": http://www.ietf.org/rfc/rfc1001.txt RFC1002, "Protocol Standard for a NetBIOS Service on a TCP/UDP Transport: Detailed Specifications": http://www.ietf.org/rfc/rfc1002.txt |
Systems Affected
| Vendor | Status | Date Notified | Date Updated |
|---|---|---|---|
| Microsoft | Vulnerable | - | 20 Apr 2002 |
CVSS Metrics (Learn More)
| Group | Score | Vector |
|---|---|---|
| Base | N/A | N/A |
| Temporal | N/A | N/A |
| Environmental | N/A | N/A |
References
- http://pr0n.newhackcity.net/~sd/nbname.html
- http://pr0n.newhackcity.net/~sd/netbios.html
- http://www.cultdeadcow.com
- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0673
- http://www.defcon.org
- http://www.fcw.com/fcw/articles/2000/0731/web-defcon-08-02-00.asp
- http://www.ietf.org/rfc/rfc1001.txt
- http://www.ietf.org/rfc/rfc1002.txt
- http://www.ietf.org/html.charters/ipsec-charter.html
- http://www.microsoft.com/technet/security/bulletin/ms00-047.asp
- http://www.microsoft.com/technet/security/bulletin/fq00-047.asp
- http://www.microsoft.com/TechNet/security/ipsecimp.asp
- http://www.pgp.com/research/covert/advisories/044.asp
- http://www.securityfocus.com/bid/1514
- http://www.securityfocus.com/bid/1515
- http://www.securityfocus.com/tools/1670
Credit
This document was written by Jeffrey P. Lanza and Chad Dougherty.
Other Information
- CVE IDs: CVE-2000-0673
- Date Public: 27 Jul 2000
- Date First Published: 26 Sep 2000
- Date Last Updated: 29 Nov 2000
- Severity Metric: 8.10
- Document Revision: 8
Feedback
If you have feedback, comments, or additional information about this vulnerability, please send us email.
This product is provided subject to the Notification as indicated here: http://www.us-cert.gov/legal.html#notify
