CCE-45283-9Platform: cpe:/o:microsoft:windows_server_2016 | Date: (C)2017-08-03 (M)2023-07-04 |
MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers
Vulnerability:
The NetBT protocol is designed not to use authentication, and is therefore vulnerable to spoofing. Spoofing makes a transmission appear to come from a user other than the user who performed the action. A malicious user could exploit the unauthenticated nature of the protocol to send a name-conflict datagram to a target computer, which would cause the computer to relinquish its name and not respond to queries.
The result of such an attack could be to cause intermittent connectivity issues on the target computer, or even to prevent the use of Network Neighborhood, domain logons, the NET SEND command, or additional NetBIOS name resolution.
For more information, see the Microsoft Knowledge Base article "MS00-047: NetBIOS Vulnerability May Cause Duplicate Name on the Network Conflicts" at http://support.microsoft.com/default.aspx?kbid=269239.
Counter Measure:
Configure the MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers (Only recommended for servers) entry to a value of Enabled.
The possible values for this registry entry are:
* 1 or 0. The default configuration is 1 (enabled).
In the SCE UI, these options appear as:
* Enabled
* Disabled
* Not Defined
Alternatively, you could disable the use of WINS in your environment, and further ensure that all applications rely upon DNS for name resolution services. Although this approach is a recommended long-term strategy, it is generally impractical for most organizations to attempt as a short-term solution. Organizations that still run WINS generally have application dependencies that cannot be quickly resolved without upgrades and software rollouts, which require careful plans and significant time commitments.
If you cannot deploy this countermeasure and you want to guarantee NetBIOS name resolution, you can take the additional step of "pre-loading" NetBIOS names in the LMHOSTS file on certain computers. For more information about how to pre-load the LMHOSTS file, see the Microsoft Knowledge Base article "MS00-047: NetBIOS Vulnerability May Cause Duplicate Name on the Network Conflicts" that was referenced earlier in this section.
Note: Maintenance of LMHOSTS files in most environments requires a significant amount of effort. Microsoft encourages the use of WINS instead of LMHOSTS.
Potential Impact:
An attacker could send a request over the network and query a computer to release its NetBIOS name. As with any change that could affect applications, Microsoft recommends that you test this change in a non-production environment before you change the production environment.
Fix:
(1) GPO: Computer ConfigurationAdministrative TemplatesMSS (Legacy)MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers
(2) REG: HKEY_LOCAL_MACHINESystemCurrentControlSetServicesNetbtParameters!NoNameReleaseOnDemand
Parameter:
[enable/disable]
Technical Mechanism:
(1) GPO: Computer Configuration\Administrative Templates\MSS (Legacy)\MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers
(2) REG: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netbt\Parameters!NoNameReleaseOnDemand
CCSS Severity: | CCSS Metrics: |
CCSS Score : 8.1 | Attack Vector: NETWORK |
Exploit Score: 2.2 | Attack Complexity: HIGH |
Impact Score: 5.9 | Privileges Required: NONE |
Severity: HIGH | User Interaction: NONE |
Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H | Scope: UNCHANGED |
| Confidentiality: HIGH |
| Integrity: HIGH |
| Availability: HIGH |
| |
References: Resource Id | Reference |
---|
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:40320 |