Microsoft Windows 2000 LanMan denial of service

win2k-lanman-dos (8867) The risk level is classified as MediumMedium Risk

Description:

The LanMan service installed with Microsoft Windows 2000 is vulnerable to a denial of service attack. A vulnerability regarding the default registry settings for the LanMan service could allow a malicious attacker to send malformed packets to TCP port 445 to consume 100% of the CPU resources.


Consequences:

Denial of Service

Remedy:

Disable port 445 or set the MaxWorkItems registry key. Microsoft provided two workarounds in article Q320751 (which may be currently unavailable):

To disable port 445 by turning off NetBIOS over TCP/IP (not recommended if NetBIOS is required):

  1. From the Start menu, go to Settings, and then select Network and Dial-up Connections.
  2. Right-click Local Area Connection, and then select Properties.
  3. Highlight Internet Protocol (TCP/IP), select Properties, and then select Advanced.
  4. From the WINS tab, select 'Disable NetBIOS over TCP/IP', and then click OK three times.

To configure the MaxWorkItems registry key:

CAUTION: Use Registry Editor at your own risk. Any change using Registry Editor may cause severe and irreparable damage and may require you to reinstall your operating system. Internet Security Systems cannot guarantee that problems caused by the use of Registry Editor can be solved.

  1. Open the Registry Editor. From the Windows Start menu, select Run.
  2. Type regedt32 and click OK.
  3. Go to the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\parameters key.
  4. From the Edit menu, select Add Value.
  5. For the Value Name, type MaxWorkItems.
  6. For the Data Type, select REG_DWORD, and then select OK.
  7. For the Data value, set the Radix to Decimal and type one of the following:
    • 1024 for systems with more than 2 gigabytes of memory
    • 512 for systems with 512 megabytes to 2 gigabytes of memory
    • 256 for systems with less than 512 megabytes of memory
  8. Select OK.

References:

  • VulnWatch Mailing List, Wed Apr 17 2002 - 04:30:54 CDT: KPMG-2002011: Windows 2000 microsoft-ds Denial of Service. (From Neohapsis archive)
  • BID-4532: Microsoft Windows 2000 Lanman Denial of Service Vulnerability
  • CVE-2002-0597: LANMAN service on Microsoft Windows 2000 allows remote attackers to cause a denial of service (CPU/memory exhaustion) via a stream of malformed data to microsoft-ds port 445.
  • OSVDB ID: 5179: Microsoft Windows 2000 microsoft-ds DoS
  • US-CERT VU#693099: Microsoft Windows 2000 vulnerable to DoS via malformed packets sent to port 445/tcp

Platforms Affected:

  • Microsoft Windows 2000

Reported:

Apr 17, 2002

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email ignore thisxforceignore this@ignore thisus.ignore thisibm.comignore this

Return to the main page