COMMAND

    NetBIOS

SYSTEMS AFFECTED

    All versions of Microsoft Windows 95, 98, NT and 2000

PROBLEM

    Following  is  based  on  COVERT  Labs  Security  Advisory.    The
    Microsoft Windows implementation of NetBIOS allows an  unsolicited
    UDP  datagram  to  remotely  deny  access  to  services offered by
    registered NetBIOS names.  An attacker can remotely shut down  all
    Domain Logins, the ability to access SMB shares, and NetBIOS  name
    resolution services.

    NetBIOS Name Conflicts, defined in RFC 1001 (15.1.3.5), occur when
    a unique NetBIOS name has  been registered by more than  one node.
    Under normal circumstances, name conflicts are detected during the
    NetBIOS name discovery  process.  In  other words, a  NetBIOS name
    should only  be marked  in conflict  when an  end node is actively
    resolving a NetBIOS name.

    The delivery of  an unsolicited NetBIOS  Conflict datagram to  any
    Microsoft Windows operating system will place a registered NetBIOS
    name  into  a  conflicted  state.   Conflicted  NetBIOS  names are
    effectively shut down since they can not respond to name discovery
    requests  or  be  used  for  session  establishment,  sending,  or
    receiving NetBIOS datagrams.

    The security  implications of  conflicting a  NetBIOS name  depend
    upon the NetBIOS name affected.   If the NetBIOS names  associated
    with the Computer Browser  service are conflicted, utilities  such
    as Network  Neighborhood may  become unusable.   If the  Messenger
    Service  is  affected,  the  "net  send"  command  equivalents are
    unusable.   If NetLogon  is conflicted,  Domain logons  can not be
    authenticated by  the affected  server, thus  allowing an attacker
    to  systematically  shutdown  the  NetLogon  service on all domain
    controllers  in   order  to   deny  domain   services.    Finally,
    conflicting the Server and  Workstation Services will stop  access
    to shared resources and many fundamental NetBIOS services such  as
    NetBIOS name resolution.

SOLUTION

    Microsoft has released a patch for this vulnerability.  The  patch
    can be found at:

        Windows 2000: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=23370
        Windows NT 4.0 Workstation, Server, and Server, Enterprise Edition:  Patch to be released shortly.
        Windows NT 4.0 Server, Terminal Server Edition: Patch to be released shortly.