|
|
|
|
| |
| Microsoft has released a patch that eliminates a security vulnerability in Microsoft Windows NT 4.0 and a recommended workaround for Windows 95, 98, 98SE, and Windows ME. The vulnerability allows a malicious user to temporarily prevent an affected machine from providing any networking services or cause it to stop responding entirely. |
| |
Credit:
The information has been provided by Microsoft Product Security.
|
| |
Affected Software Versions:
* Windows NT 4.0
* Windows 95, 98, 98 Second Edition, and Windows Me
Immune systems:
Windows 2000 is not affected by this vulnerability.
There is denial of service vulnerability affects Windows NT 4.0 Windows 95, 98, 98 Second Edition and Windows Me. By sending a flood of specially malformed TCP/IP packets to a victim's machine a malicious user could cause either of two effects. In the most likely case, the flood would temporarily prevent any networking resources on an affected computer from responding to client requests; as soon as the packets stopped arriving, the machine would resume normal operation. In a less likely case, the system could hang, and remain unresponsive until it was rebooted.
This vulnerability could only be exploited if TCP port 139 was open on the target machine. If the server service or File/Print sharing were disabled on a computer it would not be susceptible to this vulnerability.
Patch Availability:
* Microsoft Windows NT 4.0 (Intel):
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25114
Note: The patch has been tested on a Windows NT 4.0 computer with Service Pack 6a.
* Windows 95, 98, 98 Second Edition, and Windows Me:
Microsoft recommends a workaround for computers running Windows 95, 98 and 98 Second Edition. Please see KB article, Q199346 for more details.
What's the scope of the vulnerability?
This is a Denial of Service vulnerability that could be exploited to achieve either of two effects. In the most likely scenario, a malicious user could use the vulnerability to temporarily cause the networking services on an affected machine to stop responding to client requests during an attack. Networking services would return to normal once an attack has terminated. In a very small percentage of cases, the attack could cause the system to hang, requiring that it be rebooted.
The vulnerability does not affect Windows 2000. Even in affected systems, the vulnerability only occurs if the Server service or File/Printer Sharing is enabled.
What causes the vulnerability?
A flaw exists in the implementation of the NetBIOS over TCP/IP (NBT) protocol in Windows NT 4.0, Windows 95, 98, 98 Second Edition, and Windows Me. If a malicious user sent a large number of network packets with a specific type of malformation, it could cause an affected system to temporarily stop responding to all network requests, or possibly hang altogether.
What is NetBIOS, and what is NBT?
NetBIOS is a set of networking services for PC networking. NetBIOS can be implemented atop a number of different networking protocols, and there is a standard that describes how the services will be implemented for each case. NBT is the protocol standard that describes how NetBIOS services are provided on a TCP/IP network.
For more information on NetBIOS over TCP/IP please see RFC 1001.
Is this a flaw in the NBT protocol?
No. The vulnerability results because of an implementation error in certain systems. Other systems, such as Windows 2000 provide implementations of the protocol that are not affected by the vulnerability.
What is the problem with the NBT implementation in the affected systems?
There is a flaw in the way the NBT implementation handles a particular type of invalid data packet. If a series of such packets were directed at an affected system, it could prevent it from providing useful service.
What would be the effect of sending the malformed packets to the server?
There are primarily two effects of this vulnerability once a machine is affected. The most likely scenario is the machine will stop responding to any client network requests. The less likely scenario is a complete resource drain that would necessitate rebooting the machine to resume normal operation.
You said that the attacker has to send a series of malformed packets. Is this a flooding attack?
No. In a flooding attack, there's a rough correlation between the resources the attacker must use and the resources he consumes on the target machine. For instance, in a flooding attack against a web server, the attacker might have to dedicate one machine for every server he wanted to attack. In contrast, denial of service attacks usually involve a multiplier effect of some kind - the attacker must dedicate far fewer resources than he consumes on the target machine.
In this case, there is a multiplier effect, but it's not particularly large. The attacker would need to continually send malformed packets to the server, but not at a particularly high rate. In addition, as discussed above, in some cases the packets can cause the server to fail altogether.
Who could exploit this vulnerability?
Any malicious user who has access to the NBT port on a victim machine could exploit this vulnerability. If an affected machine were directly connected to the Internet, a malicious user located on the Internet could exploit the vulnerability. If a machine on a Corporate intranet was protected by a properly configured firewall that blocked the NBT ports, only an intranet user would be able to attack.
Note: If File and Printer sharing were disabled on a Windows 9x or Windows Me computer, it would not be affected by this vulnerability. Though enabled by default under certain configurations, Microsoft recommends that File and Printer sharing be disabled on Windows 9x or Windows Me machines that are directly connected to the Internet.
Why isn't there a patch for the Windows 95, 98, 98 Second Edition, or Windows Me?
The vulnerability only affects computers with File and Printer sharing enabled. Microsoft recommends disabling the use of File and Printer sharing services on any Windows 9x or Windows Me machine directly connected to the Internet. Customers who need a robust file server solution should use either Windows NT 4.0 or Windows 2000. The risk is slightly lower for customers on an internal LAN, with a properly configured firewall that blocks incoming NBT ports, since only an attacker internal to the company's network could exploit the vulnerability.
File and Printer sharing on Windows 9x and Windows Me are best suited for controlled network environments. Home PCs or small businesses whose internal networks are not connected to the Internet or protected by a firewall can safely use this service with minimal risk.
Who should use the patch?
Microsoft recommends that anyone running Windows NT 4.0 should install this patch.
What does the patch do?
The patch eliminates the flaw in NBT and modifies how it handles the malformed packets that can be sent by a malicious client tool.
How do I use the patch?
Knowledge Base article Q275567 contains detailed instructions for applying the patch.
|
|
|
|
|
|
|
