MS00-047: NetBIOS Vulnerability May Cause Duplicate Name on the Network Conflicts (269239)



The information in this article applies to:

  • Microsoft Windows NT Server 4.0 Terminal Server Edition
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Professional
  • Microsoft Windows 2000 Datacenter Server
  • Microsoft Windows NT Server, Enterprise Edition 4.0
  • Microsoft Windows NT Workstation 4.0
  • Microsoft Windows NT Server 4.0
  • Microsoft Windows Millennium Edition
  • Microsoft Windows 98 Second Edition
  • Microsoft Windows 98
  • Microsoft Windows 95

This article was previously published under Q269239
IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows Registry

SYMPTOMS

Microsoft has released a patch that improves the ability of an administrator to protect against denial-of-service attacks against Windows NT 4.0 and Windows 2000-based computers.

The NetBIOS over TCP/IP (NBT) protocols are, by design, unauthenticated and therefore vulnerable to "spoofing." A malicious user could misuse the unauthenticated nature of the protocol to send a name-conflict datagram to a target computer to cause it to relinquish its name and stop responding to queries.

Upon receiving an unsolicited name-conflict datagram, the computer stops responding to the NetBIOS name that is in conflict, and it may display an error message stating that a duplicate name exists on the network. Also, the affected computer may experience one or more of the following symptoms:

Intermittent Connectivity Issues

The computer may have intermittent issues communicating with another computer.

NetBIOS Name Service Conflicts

  • Tools such as Network Neighborhood do not work.
  • net send command equivalents do not work.
  • Domain logons are not authenticated by the affected server.
  • You may be unable to obtain access to shared resources and to fundamental NetBIOS services, such as NetBIOS name resolution.
Also, the nbtstat -n command may display a status of "Conflict" next to the NetBIOS name service.

This patch changes the behavior of Windows to accept a name conflict datagram only in direct response to a name registration attempt.

CAUSE

Intermittent Connectivity Issues

A computer receives and then caches an unsolicited NetBT Datagram Service datagram in its remote NetBIOS name cache with the TCP/IP address specified in the unsolicited datagram.

Datagram Service datagrams are used to transport data between different computers, and they are sent and received by NetBT only over UDP port 138.

NetBIOS Name Service Conflicts

A computer receives a Name Service datagram with an unsolicited negative name registration response for a name that is registered locally. For example, the following list describes some NetBIOS name services that can be affected by this issue:
  • Computer Browser Service name conflicts can render tools such as Network Neighborhood unusable.
  • Messenger Service name conflicts can render net send command equivalents unusable.
  • NetLogon Service name conflicts can deny domain services.
  • Server Service and Workstation Service name conflicts can deny access to shared resources.
Name Service datagrams are used primarily to register and resolve names on the network, and they are sent and received by NetBT and WINS only over TCP/UDP port 137.

RESOLUTION

To resolve these issues, use the appropriate method:

Intermittent Connectivity Issues

Apply the appropriate hotfix listed later in this article for the operating system affected by this issue. In addition, preload sensitive NetBIOS names in the Lmhosts file, which causes NetBIOS to discard packets that attempt to overwrite the cache entry of Lmhosts preloaded names, preserving their address mapping.

NetBIOS Name Service Conflicts

Apply the appropriate hotfix for the operating system affected by this issue, which causes unsolicited name registration responses that do not originate from a Windows Internet Name Service (WINS) server that the computer is registered with to be ignored.

NOTE: For this issue, the hotfix only works if the affected computer is configured to use WINS.

IMPORTANT: Microsoft recommends that this hotfix only be applied to computers that specifically require it, that is, computers that play a central role in the network and that the administrator judges could be a target for such an attack. Microsoft does not recommend that you apply this hotfix globally without testing it in a specific environment.

Follow these steps:
  1. Use Registry Editor (Regedt32.exe) to view the following registry key:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters

  2. Modify the following registry value, or add the value if it does not exist:

    Value name: NoNameReleaseOnDemand
    Value type: REG_DWORD-Boolean
    Value data: 0, 1 (False, True)
    Default: 0 (False)
    Recommendation: 1
    Description: This parameter determines whether the computer releases its NetBIOS name when it receives a name-release request from the network. It was added to permit the administrator to protect the computer against malicious name-release attacks.

Windows 2000

To resolve this problem, obtain the latest service pack for Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

260910 How to Obtain the Latest Windows 2000 Service Pack

The following file is available for download from the Microsoft Download Center:
For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to Obtain Microsoft Support Files from Online Services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file. The English version of this fix should have the following file attributes or later:
   Date        Time       Version        Size     File name
   --------------------------------------------------------
   07/20/2000  4:09:13pm  5.0.2195.2103  142,832  Netbt.sys
				

For additional information about how to install Windows 2000 and Windows 2000 hotfixes at the same time, click the article number below to view the article in the Microsoft Knowledge Base:

249149 Installing Microsoft Windows 2000 and Windows 2000 Hotfixes

Windows NT 4.0

To resolve this problem, obtain the individual package referenced below or obtain the Windows NT 4.0 Security Rollup Package. For additional information on the SRP, click the article number below to view the article in the Microsoft Knowledge Base:

299444 Post-Windows NT 4.0 Service Pack 6a Security Rollup Package (SRP)

The following file is available for download from the Microsoft Download Center:
For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to Obtain Microsoft Support Files from Online Services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on secure servers that prevent any unauthorized changes to the file.

The English version of this fix should have the following file attributes or later:
   Date        Time    Size     File name  Platform
   -----------------------------------------------------
   08/29/2000  4:39pm  123,600  Netbt.sys  x86
				

Windows NT Server 4.0, Terminal Server Edition

To resolve this problem, either obtain the hotfix referenced in this section or the Windows NT Server 4.0, Terminal Server Edition, Security Rollup Package (SRP). For additional information about the SRP, click the article number below to view the article in the Microsoft Knowledge Base:

317636 Windows NT Server 4.0, Terminal Server Edition, Security Rollup Package

A supported fix is now available from Microsoft, but it is only intended to correct the problem that is described in this article. Apply it only to computers that are experiencing this specific problem.

To resolve this problem, contact Microsoft Product Support Services to obtain the fix. For a complete list of Microsoft Product Support Services phone numbers and information about support costs, visit the following Microsoft Web site:NOTE: In special cases, charges that are ordinarily incurred for support calls may be canceled if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question.

The following file is available for download from the Microsoft Download Center:
For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to Obtain Microsoft Support Files from Online Services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on secure servers that prevent any unauthorized changes to the file.

The English version of this fix should have the following file attributes or later:
   Date        Time    Size     File name  Platform
   -----------------------------------------------------
   08/29/2000  06:23p  123,536  Netbt.sys  x86
				

Windows Millennium Edition

As of August 14, 2000, there is no hotfix available for this operating system.

To work around these issues, configure a firewall to block ports 137-139, which keeps external users from exploiting this NetBIOS vulnerability.

You can also work around the NetBIOS name-service conflict issue by performing an operation that causes the TCP/IP stack to remove and then resend TCP/IP address notifications. You can trigger this by using one of the following methods:
  • If the affected computer is a Dynamic Host Configuration Protocol (DHCP) client, release and then renew the TCP/IP address.
  • Force a media disconnect on the affected network adapter, and then reconnect it.
  • Restart the computer.

Windows 95, Windows 95 OSR 2, Windows 98, and Windows 98 Second Edition

The English version of this fix should have the following file attributes or later:
  Date       Time    Version    Size    File Name Platform
  -------------------------------------------------------------------------
  07/31/2000 11:11a  4.10.1659  87,769  Vnbt.386  Windows 95, all versions
  07/10/2000 11:23a  4.10.1721  87,749  Vnbt.386  Windows 98
  07/10/2000 11:36a  4.10.2149  90,893  Vnbt.386  Windows 98 Second Edition
				

STATUS

This problem was first corrected in Windows 2000 Service Pack 2.

MORE INFORMATION

For more information, please see the following Microsoft Security Bulletin: The NetBIOS over TCP/IP protocols are unauthenticated by design, and therefore are vulnerable to "spoofing." This vulnerability does not result from a product flaw in any of the affected operating systems, it is simply an outcome of the nature of the industry-standard protocol being used. A malicious user could misuse the unauthenticated nature of the protocol to send a Name Service datagram to a target computer, causing it to relinquish its name and stop responding to queries.

NetBIOS name conflicts specified in RFC 1001 (section 15.1.3.5) occur when a unique NetBIOS name is registered by more than one node. Under typical circumstances, name conflicts are detected during the NetBIOS name discovery process; a NetBIOS name should only be marked in conflict when an end node is actively resolving a NetBIOS name.

The delivery of an unsolicited NetBIOS Name Service datagram to a computer that is running any of the Microsoft Windows operating systems listed earlier in this article places a registered NetBIOS name into a conflicted state. Conflicted NetBIOS names are effectively shut down because they are unable to respond to name discovery requests, to be used for session establishment, or to be used for sending and receiving NetBIOS datagrams.

For unprotected names (names that are not preloaded in the Lmhosts file), only communication with the name whose TCP/IP address is modified by the unsolicited datagram is affected; this name is flushed from the NetBIOS cache within 5 seconds. To keep the remote name cache corrupted, the suspected attacker needs to send a stream of unsolicited datagrams, risking exposing his or her identity.

Customers who need 100 percent protection against "spoofing" attacks may want to consider using IP Security Protocol (IPSec) in Windows 2000 to establish authenticated sessions over ports 137-139.

Under some circumstances, this fix may cause several 4320 Errors logged by NetBT in the system event log, which may look confusing to the user. The reason for this is the release requests to common group names being broadcast to the subnet from other machines during shutdown, if 'b node' or improperly configured 'h node' machines are on the same subnet.

For additional information about Windows 95 hotfixes, click the article number below to view the article in the Microsoft Knowledge Base:

161020 Implementing Windows 95 Updates

For additional information about Windows 98 and Windows 98 Second Edition hotfixes, click the article number below to view the article in the Microsoft Knowledge Base:

206071 General Information on Windows 98 and SE Hotfixes


Modification Type:MajorLast Reviewed:10/8/2006
Keywords:kbHotfixServer kbQFE kbbug kbfix kbgraphxlinkcritical kbnetwork KbSECBulletin kbSecurity KbSECVulnerability kbWin2000PreSP2Fix KB269239