Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Subject: Re: [COVERT-2000-10] Windows NetBIOS Unsolicited Cache Corruption
From: Russ (Russ.CooperRC.ON.CA)
Date: Wed Aug 30 2000 - 13:59:33 CDT

NTBugtraq Advisory Editorial

I'm baffled at how a vulnerability over UDP138 could be deemed "HIGH RISK".

IMNSHO, any vulnerability that's thwarted from the Internet by virtue of
this ancient and daily-repeated phrase;

 o Block ports 135-139 and 445, both UDP and TCP, at your network
   perimeter to protect from external attackers.

Cannot possibly be deemed "HIGH RISK". Anyone who read the COVERT advisory
and did not know to disable these ports (or cannot disable these ports to
the Internet) and has a router should contact me immediately, I'd love to
know how many are in this position. While I have no doubt there are many
non-home networks that may not have these ports blocked, I don't believe
you're amongst the readership of NTBugtraq.

A "HIGH RISK" advisory to NTBugtraq should warrant the terminology, and this
one, IMO, doesn't even come close. Granted, internal users might use this to
co-opt a NetBIOS environment...more so now after its been explained to
them...lots of options are available.

- Block UDP138 on internal networks. If WINS is being used its unnecessary.
This, coupled with the fact that broadcasts across subnets should normally
be blocked also and you've ensured that poisoning can only happen on the
same segment (thereby minimizing the number of suspects should it ever

- SMB signing would prevent clients from attempting to authenticate against
rogue servers implanted in caches. The poisoning then becomes a DoS.

- A better solution, and really the only secure solution for anyone wishing
to continue to use NetBIOS/SMB, is to use IPSEC. IPSEC would obviously
prevent this, and lots of other vulnerabilities in NetBIOS.

For NAI to suggest that the unauthenticated nature of NetBIOS and CIFS is
purely a Microsoft problem needing to be fixed is, IMO, silly. The RFC's
they quote even acknowledge that security isn't part of NetBIOS over IP, and
the fact that some portion of the world still chooses to ignore years of
harping about closing those ports indicates that its use is entrenched and
unlikely to be changed by either a fix, or an advisory.

When SMB signing was introduced it provided a means to "break" much of
NetBIOS' weaknesses. Despite this, my best information says that its hardly
in use. This is yet another indication that the security of NetBIOS is of
little concern to some network administrators.

Trying to draw the Internet into the fray, suggesting a remotely exploitable
vulnerability of "HIGH RISK" because a network administrator has chosen not
to observe a long-standing best practice, is not the right approach. IMO,
this makes it more hype than not.

I'm not admonishing the very detailed and well-written technical portions of
the advisory, but IMO the designation of "HIGH RISK" does NAI, COVERT Labs,
and the readers of NTBugtraq a disservice.

Russ - NTBugtraq Editor

Delivery co-sponsored by VeriSign - The Internet Trust Company
Upgrade your server security to 128-bit SSL encryption!

Get VeriSign's FREE guide, "Securing Your Web Site for Business." You will
learn everything you need to know about using 128-bit SSL to encrypt your
e-commerce transactions for serious online security. Click here!