Multiple Vendor TCP/IP Resource Exhaustion Vulnerability

Bugtraq ID:	2022
Class:	Failure to Handle Exceptional Conditions
CVE:	CVE-2000-1039
Remote:	Yes
Local:	No
Published:	Nov 30 2000 12:00AM
Updated:	Jul 11 2009 03:56AM
Credit:	Discovered by the BindView Razor Team <[email protected]> and first publicized in a Microsoft Security Bulletin (MS00-091) on November 30, 2000.
Vulnerable:	Microsoft Windows NT Workstation 4.0 SP6a Microsoft Windows NT Workstation 4.0 SP6 Microsoft Windows NT Workstation 4.0 SP5 Microsoft Windows NT Workstation 4.0 SP4 Microsoft Windows NT Workstation 4.0 SP3 Microsoft Windows NT Workstation 4.0 SP2 Microsoft Windows NT Workstation 4.0 SP1 Microsoft Windows NT Workstation 4.0 Microsoft Windows NT Terminal Server 4.0 SP6 Microsoft Windows NT Terminal Server 4.0 SP5 Microsoft Windows NT Terminal Server 4.0 SP4 Microsoft Windows NT Terminal Server 4.0 SP3 Microsoft Windows NT Terminal Server 4.0 SP2 Microsoft Windows NT Terminal Server 4.0 SP1 Microsoft Windows NT Terminal Server 4.0 Microsoft Windows NT Server 4.0 SP6a + Avaya DefinityOne Media Servers + Avaya DefinityOne Media Servers + Avaya IP600 Media Servers + Avaya IP600 Media Servers + Avaya S3400 Message Application Server 0 + Avaya S8100 Media Servers 0 + Avaya S8100 Media Servers 0 Microsoft Windows NT Server 4.0 SP6 Microsoft Windows NT Server 4.0 SP5 Microsoft Windows NT Server 4.0 SP4 Microsoft Windows NT Server 4.0 SP3 Microsoft Windows NT Server 4.0 SP2 Microsoft Windows NT Server 4.0 SP1 Microsoft Windows NT Server 4.0 Microsoft Windows NT Enterprise Server 4.0 SP6a Microsoft Windows NT Enterprise Server 4.0 SP6 Microsoft Windows NT Enterprise Server 4.0 SP5 Microsoft Windows NT Enterprise Server 4.0 SP4 Microsoft Windows NT Enterprise Server 4.0 SP3 Microsoft Windows NT Enterprise Server 4.0 SP2 Microsoft Windows NT Enterprise Server 4.0 SP1 Microsoft Windows NT Enterprise Server 4.0 Microsoft Windows NT 4.0 + Microsoft Windows NT Enterprise Server 4.0 + Microsoft Windows NT Enterprise Server 4.0 + Microsoft Windows NT Server 4.0 + Microsoft Windows NT Server 4.0 + Microsoft Windows NT Terminal Server 4.0 + Microsoft Windows NT Terminal Server 4.0 + Microsoft Windows NT Workstation 4.0 + Microsoft Windows NT Workstation 4.0 Microsoft Windows ME Microsoft Windows 98SE Microsoft Windows 98 Microsoft Windows 95
Not Vulnerable:	Microsoft Windows 2000 Server SP2 Microsoft Windows 2000 Server SP1 Microsoft Windows 2000 Server + Avaya DefinityOne Media Servers + Avaya IP600 Media Servers + Avaya S3400 Message Application Server 0 + Avaya S8100 Media Servers 0 Microsoft Windows 2000 Professional SP2 Microsoft Windows 2000 Professional SP1 Microsoft Windows 2000 Professional Microsoft Windows 2000 Datacenter Server SP2 Microsoft Windows 2000 Datacenter Server SP1 Microsoft Windows 2000 Datacenter Server Microsoft Windows 2000 Advanced Server SP2 Microsoft Windows 2000 Advanced Server SP1 Microsoft Windows 2000 Advanced Server

Multiple Vendor TCP/IP Resource Exhaustion Vulnerability

Microsoft's implementation NetBIOS is vulnerable to a remotely exploitable denial of service attack. An attacker who has access to the NBT port can cause the system to become exhausted of network resources and cease functioning.

The attack is carried out by initiating many connections and then closing them, leaving the target tcp sockets in FINWAIT_1 state. Although the sockets will eventually time out and be freed, an attacker can continuously send more, initiating and closing new connections using up any freed network resources. The result may be a denial of useful NetBIOS services until the attack stops.

This type of attack is well known as simple resource exhaustion, but has become an issue with new tools that enable attackers to launch more effective resource exhaustion attacks. Microsoft has released fixes to patch this vulnerability in NT 4.0sp6. This vulnerability affects many operating systems aside from Microsoft Windows, however Microsoft is the only vendor thus far to issue a patch and workaround.