-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

______________________________________________________________________

                     Network Associates, Inc.
                  COVERT Labs Security Advisory
                          July 27, 2000

                  Windows NetBIOS Name Conflicts

                         COVERT-2000-09

______________________________________________________________________

o Synopsis

The Microsoft Windows implementation of NetBIOS allows an unsolicited
UDP datagram to remotely deny access to services offered by
registered NetBIOS names.  An attacker can remotely shut down all
Domain Logins, the ability to access SMB shares, and NetBIOS name
resolution services.

RISK FACTOR: MEDIUM
______________________________________________________________________

o Vulnerable Systems

All versions of Microsoft Windows 95, 98, NT and 2000.

______________________________________________________________________

o Vulnerability Information

NetBIOS Name Conflicts, defined in RFC 1001 (15.1.3.5), occur when a
unique NetBIOS name has been registered by more than one node.  Under
normal circumstances, name conflicts are detected during the NetBIOS
name discovery process.  In other words, a NetBIOS name should only
be marked in conflict when an end node is actively resolving a
NetBIOS name.

The delivery of an unsolicited NetBIOS Conflict datagram to any
Microsoft Windows operating system will place a registered NetBIOS
name into a conflicted state.  Conflicted NetBIOS names are
effectively shut down since they can not respond to name discovery
requests or be used for session establishment, sending, or receiving
NetBIOS datagrams.

The security implications of conflicting a NetBIOS name depend upon
the NetBIOS name affected.  If the NetBIOS names associated with the
Computer Browser service are conflicted, utilities such as Network
Neighborhood may become unusable.  If the Messenger Service is
affected, the "net send" command equivalents are unusable.  If
NetLogon is conflicted, Domain logons can not be authenticated by
the affected server, thus allowing an attacker to systematically
shutdown the NetLogon service on all domain controllers in order to
deny domain services.  Finally, conflicting the Server and
Workstation Services will stop access to shared resources and many
fundamental NetBIOS services such as NetBIOS name resolution.

______________________________________________________________________

o Resolution

Microsoft has released a patch for this vulnerability. The patch can
be found at:

Windows 2000:
 http://www.microsoft.com/Downloads/Release.asp?ReleaseID=23370

Windows NT 4.0 Workstation, Server, and Server, Enterprise Edition:
 Patch to be released shortly.

Windows NT 4.0 Server, Terminal Server Edition:
 Patch to be released shortly.

For more information, their security bulletin can be found at:
http://www.microsoft.com/technet/security/bulletin/MS00-047.asp


______________________________________________________________________

o Credits

The discovery and documentation of this vulnerability was conducted
by Anthony Osborne at the COVERT Labs of PGP Security, Inc.

______________________________________________________________________

o Contact Information

For more information about the COVERT Labs at PGP Security, visit our
website at http://www.nai.com/covert or send e-mail to covert@nai.com

______________________________________________________________________

o Legal Notice

The information contained within this advisory is Copyright (C) 2000
Networks Associates Technology Inc.  It may be redistributed provided
that no fee is charged for distribution and that the advisory is not
modified in any way.

Network Associates and PGP are registered Trademarks of Network
Associates, Inc. and/or its affiliated companies in the United States
and/or other Countries.  All other registered and unregistered
trademarks in this document are the sole property of their respective
owners.

______________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.1
Comment: Crypto Provided by Network Associates <http://www.nai.com>

iQA/AwUBOYDsN6F4LLqP1YESEQJmFwCeLQoHrqJcW/a0XqrYwEj+6pfuXRIAoMH3
odIH98QjLqxgNAL0hklGNVIe
=gPQy
-----END PGP SIGNATURE-----