-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Network Associates, Inc. COVERT Labs Security Advisory July 27, 2000 Windows NetBIOS Name Conflicts COVERT-2000-09
The Microsoft Windows implementation of NetBIOS allows an unsolicited UDP datagram to remotely deny access to services offered by registered NetBIOS names. An attacker can remotely shut down all Domain Logins, the ability to access SMB shares, and NetBIOS name resolution services.
RISK FACTOR: MEDIUM
o Vulnerable Systems
All versions of Microsoft Windows 95, 98, NT and 2000.
o Vulnerability Information
NetBIOS Name Conflicts, defined in RFC 1001 (18.104.22.168), occur when a unique NetBIOS name has been registered by more than one node. Under normal circumstances, name conflicts are detected during the NetBIOS name discovery process. In other words, a NetBIOS name should only be marked in conflict when an end node is actively resolving a NetBIOS name.
The delivery of an unsolicited NetBIOS Conflict datagram to any Microsoft Windows operating system will place a registered NetBIOS name into a conflicted state. Conflicted NetBIOS names are effectively shut down since they can not respond to name discovery requests or be used for session establishment, sending, or receiving NetBIOS datagrams.
The security implications of conflicting a NetBIOS name depend upon the NetBIOS name affected. If the NetBIOS names associated with the Computer Browser service are conflicted, utilities such as Network Neighborhood may become unusable. If the Messenger Service is affected, the "net send" command equivalents are unusable. If NetLogon is conflicted, Domain logons can not be authenticated by the affected server, thus allowing an attacker to systematically shutdown the NetLogon service on all domain controllers in order to deny domain services. Finally, conflicting the Server and Workstation Services will stop access to shared resources and many fundamental NetBIOS services such as NetBIOS name resolution.
Microsoft has released a patch for this vulnerability. The patch can be found at:
Windows 2000: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=23370
Windows NT 4.0 Workstation, Server, and Server, Enterprise Edition: Patch to be released shortly.
Windows NT 4.0 Server, Terminal Server Edition: Patch to be released shortly.
For more information, their security bulletin can be found at: http://www.microsoft.com/technet/security/bulletin/MS00-047.asp
The discovery and documentation of this vulnerability was conducted by Anthony Osborne at the COVERT Labs of PGP Security, Inc.
o Contact Information
For more information about the COVERT Labs at PGP Security, visit our website at http://www.nai.com/covert or send e-mail to firstname.lastname@example.org
o Legal Notice
The information contained within this advisory is Copyright (C) 2000 Networks Associates Technology Inc. It may be redistributed provided that no fee is charged for distribution and that the advisory is not modified in any way.
Network Associates and PGP are registered Trademarks of Network Associates, Inc. and/or its affiliated companies in the United States and/or other Countries. All other registered and unregistered trademarks in this document are the sole property of their respective owners.
-----BEGIN PGP SIGNATURE----- Version: PGP 6.5.1 Comment: Crypto Provided by Network Associates <http://www.nai.com>
iQA/AwUBOYDsbqF4LLqP1YESEQLuLACdFW/9dODsn3NPDhs4va5+UclXTkoAn1Bq NGD/X09Kb3DKZN5z1FqWiShT =22G/ -----END PGP SIGNATURE-----