Reported August 30, 2000 by
Anthony Osborne of COVERT Labs at PGP Security

VERSIONS AFFECTED
  • Microsoft Windows 95, 98, NT 4.0, and 2000

DESCRIPTION

A
ll Windows platforms are vulnerable to NetBIOS cache corruption via unicast or broadcast UDP datagrams. The overall effect is that an attacker could launch a man-in-the-middle attack (among other activities) by corrupting the cache with altered NetBIOS Name-to-IP address mappings.

VENDOR RESPONSE

Microsoft is aware of this problem, however according to the discoverers, the company will not issue a patch for this problem because it feels the problem resides in the unauthenticated nature of the NetBIOS protocol.

The discoverers recommend that should protect against unwanted NetBIOS cache changes by performing one fo the following actions:

  • Block NetBIOS TCP and UDP ports (135-139, and 445) at all network borders.
  • Do not rely on NetBIOS to perform hostname-to-IP address lookups.
  • Disable all services that register a NetBIOS name as seen with the "nbtstat -n" command. Be sure to unbind the "WINS Client" and other related services that employ NetBIOS.
  • Upgrade to Windows 2000 and disable "NetBIOS Over TCP/IP" functionality

CREDIT
Discovered by Anthony Osborne of COVERT Labs at PGP Security