A rchive Date
[ 21-02-2005 ]
Category
[ Information Technologies ]
sub-Categoy
[ Microsoft ]
|
[MS00-047: NetBIOS Vulnerability May Cause Duplicate Name on the Network Conflicts (Q269239)
The information in this article applies to:
Microsoft Windows 2000 , Professional
Microsoft Windows 2000 , Server
Microsoft Windows 2000 , Advanced Server
Microsoft Windows 2000 , Datacenter Server
Microsoft Windows NT Server, Enterprise Edition version 4.0
Microsoft Windows NT Workstation version 4.0
Microsoft Windows NT Server version 4.0
Microsoft Windows NT Server version 4.0 , , Terminal Server Edition
Microsoft Windows Millennium Edition
Microsoft Windows 98 Second Edition
Microsoft Windows 98
Microsoft Windows 95
IMPORTANT : This article contains information about editing the registry. Before you edit the registry, make sure you understand how to restore it if a problem occurs. For information about how to do this, view the "Restoring the Registry" Help topic in Regedit.exe or the "Restoring a Registry Key" Help topic in Regedt32.exe.
SYMPTOMS
Microsoft has released a patch that improves the ability of an administrator to protect against denial-of-service attacks against Windows NT 4.0 and Windows 2000-based computers.
The NetBIOS over TCP/IP (NBT) protocols are, by design, unauthenticated and therefore vulnerable to "spoofing." A malicious user could misuse the unauthenticated nature of the protocol to send a name-conflict datagram to a target computer to cause it to relinquish its name and stop responding to queries.
Upon receiving an unsolicited name-conflict datagram, the computer stops responding to the NetBIOS name that is in conflict, and it may display an error message stating that a duplicate name exists on the network. Also, the affected computer may experience one or more of the following symptoms:
Intermittent Connectivity Issues
The computer may have intermittent issues communicating with another computer.
NetBIOS Name Service Conflicts
Tools such as Network Neighborhood do not work.
net send command equivalents do not work.
Domain logons are not authenticated by the affected server. You may be unable to obtain access to shared resources and to fundamental NetBIOS services, such as NetBIOS name resolution.
Also, the nbtstat -n command may display a status of "Conflict" next to the NetBIOS name service.
This patch changes the behavior of Windows to accept a name conflict datagram only in direct response to a name registration attempt.
CAUSE
Intermittent Connectivity Issues
A computer receives and then caches an unsolicited NetBT Datagram Service datagram in its remote NetBIOS name cache with the TCP/IP address specified in the unsolicited datagram.
Datagram Service datagrams are used to transport data between different computers, and they are sent and received by NetBT only over UDP port 138.
NetBIOS Name Service Conflicts
A computer receives a Name Service datagram with an unsolicited negative name registration response for a name that is registered locally. For example, the following list describes some NetBIOS name services that can be affected by this issue:
Computer Browser Service name conflicts can render tools such as Network Neighborhood unusable.
Messenger Service name conflicts can render net send command equivalents unusable.
NetLogon Service name conflicts can deny domain services.
Server Service and Workstation Service name conflicts can deny access to shared resources.
Name Service datagrams are used primarily to register and resolve names on the network, and they are sent and received by NetBT and WINS only over TCP/UDP port 137.
RESOLUTION
To resolve this problem, obtain the latest service pack for Windows 2000. For additional information, please see the following article in the Microsoft Knowledge Base:
Q260910 How to Obtain the Latest Windows 2000 Service Pack
WARNING : Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.
For information about how to edit the registry, view the "Changing Keys and Values" Help topic in Registry Editor (Regedit.exe) or the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe. Note that you should back up the registry before you edit it. If you are running Windows NT or Windows 2000, you should also update your Emergency Repair Disk (ERD).
To resolve these issues, use the appropriate method:
Intermittent Connectivity Issues
Apply the appropriate hotfix listed later in this article for the operating system affected by this issue. In addition, preload sensitive NetBIOS names in the Lmhosts file, which causes NetBIOS to discard packets that attempt to overwrite the cache entry of Lmhosts preloaded names, preserving their address mapping.
NetBIOS Name Service Conflicts
Apply the appropriate hotfix for the operating system affected by this issue, which causes unsolicited name registration responses that do not originate from a Windows Internet Name Service (WINS) server that the computer is registered with to be ignored.
NOTE : For this issue, the hotfix only works if the affected computer is configured to use WINS.
IMPORTANT : Microsoft recommends that this hotfix only be applied to computers that specifically require it, that is, computers that play a central role in the network and that the administrator judges could be a target for such an attack. Microsoft does not recommend that you apply this hotfix globally without testing it in a specific environment.
Follow these steps:
1. Use Registry Editor (Regedt32.exe) to view the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters
2. Modify the following registry value, or add the value if it does not exist:
Value name: NoNameReleaseOnDemand
Value type: REG_DWORD-Boolean
Value data: 0, 1 (False, True)
Default: 0 (False)
Recommendation: 1
Description: This parameter determines whether the computer releases its NetBIOS name when it receives a name-release request from the network. It was added to permit the administrator to protect the computer against malicious name-release attacks.
Windows 2000
To resolve this problem, obtain the latest service pack for Windows 2000. For additional information, please see the following article in the Microsoft Knowledge Base:
Q260910 How to Obtain the Latest Windows 2000 Service Pack
The following file is available for download from the Microsoft Download Center:
![[GRAPHIC:
Download
]](/_Web2PubDocs2021_v6a.Nsf/f45a1fd45a86927e85256bf7000484fa/0997ccd3fc02a309852586d9004ca9e7/Body/0.226C!OpenElement&FieldElemFormat=gif) Download Q269239_W2K_SP2_x86_en.exe now
For additional information about how to download Microsoft Support files, click the article number below to view the article in the Microsoft Knowledge Base:
Q119591 How to Obtain Microsoft Support Files from Online Services
Microsoft used the most current virus detection software available on the date of posting to scan this file for viruses. Once posted, the file is housed on secure servers that prevent any unauthorized changes to the file.
The English version of this fix should have the following file attributes or later:
Date Time Version Size File name
--------------------------------------------------------
07/20/2000 4:09:13pm 5.0.2195.2103 142,832 Netbt.sys
For additional information about how to install Windows 2000 and Windows 2000 hotfixes at the same time, click the article number below to view the article in the Microsoft Knowledge Base:
Q249149 Installing Microsoft Windows 2000 and Windows 2000 Hotfixes
Windows NT 4.0
To resolve this problem, obtain the individual package referenced below or obtain the Windows NT 4.0 Security Rollup Package. For additional information on the SRP, click the article number below to view the article in the Microsoft Knowledge Base:
Q299444 Post-Windows NT 4.0 Service Pack 6a Security Rollup Package (SRP)
The following file is available for download from the Microsoft Download Center:
![[GRAPHIC:
Download
]](/_Web2PubDocs2021_v6a.Nsf/f45a1fd45a86927e85256bf7000484fa/0997ccd3fc02a309852586d9004ca9e7/Body/0.2E70!OpenElement&FieldElemFormat=gif) Download Q269239i.exe now
For additional information about how to download Microsoft Support files, click the article number below to view the article in the Microsoft Knowledge Base:
Q119591 How to Obtain Microsoft Support Files from Online Services
Microsoft used the most current virus detection software available on the date of posting to scan this file for viruses. Once posted, the file is housed on secure servers that prevent any unauthorized changes to the file.
The English version of this fix should have the following file attributes or later:
Date Time Size File name Platform
-----------------------------------------------------
08/29/2000 4:39pm 123,600 Netbt.sys x86
Windows NT Server 4.0, Terminal Server Edition
A supported fix is now available from Microsoft, but it is only intended to correct the problem described in this article and should be applied only to systems experiencing this specific problem.
To resolve this problem, contact Microsoft Product Support Services to obtain the fix. For a complete list of Microsoft Product Support Services phone numbers and information on support costs, please go to the following address on the World Wide Web:
http://support.microsoft.com/directory/overview.asp
NOTE : In special cases, charges that are normally incurred for support calls may be canceled, if a Microsoft Support Professional determines that a specific update will resolve your problem. Normal support costs will apply to additional support questions and issues that do not qualify for the specific update in question.
The following file is available for download from the Microsoft Download Center:
![[GRAPHIC:
Download
]](/_Web2PubDocs2021_v6a.Nsf/f45a1fd45a86927e85256bf7000484fa/0997ccd3fc02a309852586d9004ca9e7/Body/0.3AE2!OpenElement&FieldElemFormat=gif) Download Q269239i.exe now
For additional information about how to download Microsoft Support files, click the article number below to view the article in the Microsoft Knowledge Base:
Q119591 How to Obtain Microsoft Support Files from Online Services
Microsoft used the most current virus detection software available on the date of posting to scan this file for viruses. Once posted, the file is housed on secure servers that prevent any unauthorized changes to the file.
The English version of this fix should have the following file attributes or later:
Date Time Size File name Platform
-----------------------------------------------------
08/29/2000 06:23p 123,536 Netbt.sys x86
Windows Millennium Edition
As of August 14, 2000, there is no hotfix available for this operating system.
To work around these issues, configure a firewall to block ports 137-139, which keeps external users from exploiting this NetBIOS vulnerability.
You can also work around the NetBIOS name-service conflict issue by performing an operation that causes the TCP/IP stack to remove and then resend TCP/IP address notifications. You can trigger this by using one of the following methods:
If the affected computer is a Dynamic Host Configuration Protocol (DHCP) client, release and then renew the TCP/IP address.
Force a media disconnect on the affected network adapter, and then reconnect it.
Restart the computer.
Windows 95, Windows 95 OSR 2, Windows 98, and Windows 98 Second Edition
The English version of this fix should have the following file attributes or later:
Date Time Version Size File Name Platform
-------------------------------------------------------------------------
07/31/2000 11:11a 4.10.1659 87,769 Vnbt.386 Windows 95, all versions
07/10/2000 11:23a 4.10.1721 87,749 Vnbt.386 Windows 98
07/10/2000 11:36a 4.10.2149 90,893 Vnbt.386 Windows 98 Second Edition
STATUS
This behavior is by design. This problem was first corrected in Windows 2000 Service Pack 2.
MORE INFORMATION
For more information, please see the following Microsoft Security Bulletin:
http://www.microsoft.com/technet/security/bulletin/MS00-047.asp
The NetBIOS over TCP/IP protocols are unauthenticated by design, and therefore are vulnerable to "spoofing." This vulnerability does not result from a product flaw in any of the affected operating systems, it is simply an outcome of the nature of the industry-standard protocol being used. A malicious user could misuse the unauthenticated nature of the protocol to send a Name Service datagram to a target computer, causing it to relinquish its name and stop responding to queries.
NetBIOS name conflicts specified in RFC 1001 (section 15.1.3.5) occur when a unique NetBIOS name is registered by more than one node. Under typical circumstances, name conflicts are detected during the NetBIOS name discovery process; a NetBIOS name should only be marked in conflict when an end node is actively resolving a NetBIOS name.
The delivery of an unsolicited NetBIOS Name Service datagram to a computer that is running any of the Microsoft Windows operating systems listed earlier in this article places a registered NetBIOS name into a conflicted state. Conflicted NetBIOS names are effectively shut down because they are unable to respond to name discovery requests, to be used for session establishment, or to be used for sending and receiving NetBIOS datagrams.
For unprotected names (names that are not preloaded in the Lmhosts file), only communication with the name whose TCP/IP address is modified by the unsolicited datagram is affected; this name is flushed from the NetBIOS cache within 5 seconds. To keep the remote name cache corrupted, the suspected attacker needs to send a stream of unsolicited datagrams, risking exposing his or her identity.
Customers who need 100 percent protection against "spoofing" attacks may want to consider using IP Security Protocol (IPSec) in Windows 2000 to establish authenticated sessions over ports 137-139.
Under some circumstances, this fix may cause several 4320 Errors logged by NetBT in the system event log, which may look confusing to the user. The reason for this is the release requests to common group names being broadcast to the subnet from other machines during shutdown, if 'b node' or improperly configured 'h node' machines are on the same subnet.
For additional information about Windows 95 hotfixes, click the article number below to view the article in the Microsoft Knowledge Base:
Q161020 Implementing Windows 95 Updates
For additional information about Windows 98 and Windows 98 Second Edition hotfixes, click the article number below to view the article in the Microsoft Knowledge Base:
Q206071 General Information on Windows 98 and SE Hotfixes
| Published | Jul 31 2000 4:10AM | Issue Type | kbbug |
| Last Modifed | Mar 20 2002 9:04PM | Additional Query Words | security_patch |
| Keywords | kbnetwork kbSecurity kbWinNT400PreSP7Fix kbWin2000PreSP2Fix kbWin2000SP2Fix kbgraphxlinkcritical |
|