CERTVU:32650Denial of Service Attack in NetBIOS Services
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.059 Low
EPSS
Percentile
93.5%
Overview
The NetBIOS Name Service (NBNS) provides a means for hostname and address mapping on a NetBIOS-aware network. The NetBIOS over TCP/IP protocols (including NBNS) are described in the Internet Engineering Task Force (IETF) Request for Comments RFC1001 and RFC1002. These protocols do not specify a method for authenticating communications, and as such, machines running NetBIOS services are vulnerable to spoofing attacks.
NetBIOS is a set of defined software interfaces for vendor-independent PC networking and is primarily used on Microsoft Windows computers. NetBIOS is enabled by default on Windows95 and Windows98 machines.
Description
An attacker sending spoofed “Name Release” or “Name Conflict” messages to a victim machine could force the victim to remove its own (legitimate) name from its name table and not respond to (or initiate) other NetBIOS requests. This renders the victim unable to communicate with other NetBIOS hosts, thus resulting in a denial-of-service attack.
Impact
An attacker can cause a victim’s machine to refuse all NetBIOS network traffic, resulting in a denial of service.
Solution
Block NetBIOS services at the the network perimeter. NetBIOS services include
* NetBIOS Name Service, 137/tcp and 137/udp
* NetBIOS Datagram Service, 138/tcp and 138/udp
* NetBIOS Session Service, 139/tcp and 139/udp
Note that this prevents external hosts from sending NetBIOS Name Service traffic to internal machines, but it does not prevent local users from exploiting this vulnerability.
Furthermore, the CERT/CC recommends that sites, even those which do not use NetBIOS services, block all ports unless they are explicitly needed.
* For Windows NT and Windows 2000, apply the patches recommended in Microsoft Security Bulletin MS00-047:
<http://www.microsoft.com/technet/security/bulletin/ms00-047.asp>
<http://www.microsoft.com/technet/security/bulletin/fq00-047.asp>
Note that no patch is being furnished for Win9x systems; Microsoft has publicly stated that patching these systems to disable name conflict resolution would cause more problems than it would help prevent, especially in networks with large numbers of Win9x systems.
* Use IPSec to help secure internal IP communication. Information about configuring IPSec in Windows 2000 can be found at
<http://www.microsoft.com/WINDOWS2000/library/planning/security/ipsecsteps.asp>
<http://www.microsoft.com/WINDOWS2000/library/howitworks/security/ip_security.asp>
Related Documentation
For additional information on securing Windows systems, see the following CERT/CC Tech Tips:
Windows 95/98 Computer Security InformationWindows NT Configuration GuidelinesWindows NT Security and Configuration Resources
RFC 1001, “Protocol Standard for a NetBIOS Service on a TCP/UDP Transport: Concepts and Methods”:
<http://www.ietf.org/rfc/rfc1001.txt>
RFC1002, “Protocol Standard for a NetBIOS Service on a TCP/UDP Transport: Detailed Specifications”:
<http://www.ietf.org/rfc/rfc1002.txt>
Vendor Information
32650
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Microsoft Affected
Updated: November 03, 2000
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%2332650 Feedback>).
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
- <http://pr0n.newhackcity.net/~sd/nbname.html>
- <http://pr0n.newhackcity.net/~sd/netbios.html>
- <http://www.cultdeadcow.com>
- <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0673>
- <http://www.defcon.org>
- <http://www.fcw.com/fcw/articles/2000/0731/web-defcon-08-02-00.asp>
- <http://www.ietf.org/rfc/rfc1001.txt>
- <http://www.ietf.org/rfc/rfc1002.txt>
- <http://www.ietf.org/html.charters/ipsec-charter.html>
- <http://www.microsoft.com/technet/security/bulletin/ms00-047.asp>
- <http://www.microsoft.com/technet/security/bulletin/fq00-047.asp>
- <http://www.microsoft.com/TechNet/security/ipsecimp.asp>
- <http://www.pgp.com/research/covert/advisories/044.asp>
- <http://www.securityfocus.com/bid/1514>
- <http://www.securityfocus.com/bid/1515>
- <http://www.securityfocus.com/tools/1670>
Acknowledgements
This document was written by Jeffrey P. Lanza and Chad Dougherty.
Other Information
| CVE IDs: | CVE-2000-0673 |
|---|---|
| Severity Metric: | 8.10 Date Public: |
References
pr0n.newhackcity.net/~sd/nbname.html
pr0n.newhackcity.net/~sd/netbios.html
www.cultdeadcow.com
www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0673
www.defcon.org
www.fcw.com/fcw/articles/2000/0731/web-defcon-08-02-00.asp
www.ietf.org/html.charters/ipsec-charter.html
www.ietf.org/rfc/rfc1001.txt
www.ietf.org/rfc/rfc1002.txt
www.microsoft.com/technet/security/bulletin/fq00-047.asp
www.microsoft.com/technet/security/bulletin/ms00-047.asp
www.microsoft.com/TechNet/security/ipsecimp.asp
www.pgp.com/research/covert/advisories/044.asp
www.securityfocus.com/bid/1514
www.securityfocus.com/bid/1515
www.securityfocus.com/tools/1670
Related
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.059 Low
EPSS
Percentile
93.5%