SonicALERT
Search

Sonicwall Signatures

 

  All Categories


Category: NETBIOS

NetBIOS Category Description

This SonicWALL IPS signature category consists of a group of signatures that can detect and prevent intrusions implemented internally on the network. The NetBIOS name is somewhat misleading -- this is a largely defunct Application Programming Interface that was used to implement communication using the System Message Block (SMB) protocol, among others, for communication between networked computers and components. Since Windows 2000, networked computers have been able to communicate using the SMB protocol without using NetBIOS to implement it. The NetBIOS name is thus a holdover from old vulnerabilities that existed in Windows 95 and 98 networked machines. Nonetheless, the described vulnerabilities are very similar and deal with ways that atteckers attempt to exploit vulnerabilities in the handling of networking requests. The exploits detected by this category are not only utilized manually; many have become critical components in network worms that propagate mainly by copying themselves across internal networks without users' knowledge. Successful attacks in this category can cause servers and workstations to crash, and in some instances give attackers control over the compromised system.

Networks using SMB are organized in a client-server format, with a server providing access to network resources when clients send it requests. These servers provide a number of services, from print services to access to network shares, or shared versions of the hard drives on the network. A user's ability to access resources is restricted by that user's privileges, with the owner of the Administrator account having access to all resources on the network. Attackers attack a number of points in this structure to compromise a network.

The simplest type of attack is a Network Share Enumeration attack where an attacker gains access to network shares simply by requesting that the server enumerate them. With proper security policies, i.e. robust password protection for network shares or well-defined privileges, these attacks are rarely successful. Unfortunately, proper security policies are implemented less often than they should be. These attacks can give attackers access to sensitive files contained on the network and allow them to upload malicious files on to network computers that can compromise them if run. Several worms use network share enumeration as a major vector for spreading across networks.

Network Share Enumeration attacks are often combined with Privilege Elevation attacks to achieve maximum effictiveness. Privilege Elevation attacks involve an attacker trying to hijack an account that has administrative privileges so that they can access all resources on a network. Often, this just involves cracking the administrator password which is often less robust than it could be. Many worms gain administrator privileges on networks by using a "dictionary" attack, or by attempting to log in using a list of weak, commonly used passwords. As worms become more advanced and begin to use compromised network computers as grids working on brute-force cracking of administrator passwords, the success of this type attack will become more common and the risk that attackers will be able to gain control of entire networks will rise.

The other type of attack recognized by this category deals with attempts to exploit vulnerabilities in networking software, not in security policies. Many networking components contain unchecked buffers that can allow attackers to cause client or server machines to malfunction by sending them a carefully crafted request. The requests can cause a buffer overflow that can give attackers control over compromised machines or cause them to crasy. Attackers and worms commonly use these attacks to open backdoors and download malicious software on to both clients and servers, or cause SMB servers to crash, shutting down basic services like network printing or accessing network drives.

SonicWALL NetBIOS signatures are classified from low- to high-priority based on the probability of success and the likely damage caused by the corresponding attack. When enabled for prevention, these signatures can block attempts to transfer malicious files across network shares or attempts to send malformed requests to client and server machines. When configured for detection these signatures can alert administrators to suspicious activity like repeated attempts at administrator login which can indicate a brute force attack in progress. It should be noted, however, that the above attacks can be largely prevented by sound security policies and frequent patching of network systems. SonicWALL signatures should be used in conjunction with these good networking practices to ensure maximum network security.

  Windows Print Spooler Privilege Escalation (CVE-2021-1675)
  Malformed SMB Request 4
  Malformed SMB Request 15
  Samba Netlogon Remote Code Execution 1
  Malformed Compressed SMB Traffic 1
  Cisco Webex Meetings Update Service Command Injection
  Samba vfs_fruit Module Remote Code Execution 1
  Samba vfs_fruit Module Remote Code Execution 2
  Samba symlink Directory Traversal
  Samba Spotlight mdssvc RPC DoS
  Samba Spotlight mdssvc RPC DoS 2
  Samba SamrChangePassword Remote Command Execution 1
  Samba NDR Parsing Heap Buffer Overflow
  Malformed SMB Request 1
  Malformed SMB Request 2
  Malformed SMB Request 12
  Samba read_nttrans_ea_list DoS 2
  Malformed SMB Request 11
  Samba MS-RPC Command Injection
  Samba nmbd unstrcpy Buffer Overflow
  Windows Print Spooler Format String Attack 3
  PsExec Call over SMB
  Malformed SMB Request 5
  Malformed SMB Request 6
  Malformed SMB Request 3
  Malformed SMB Request 7
  Samba SamrChangePassword Remote Command Execution 2
  Malformed SMB Request 8
  Malformed SMB Request 9
  Samba read_nttrans_ea_list DoS 1
  Malformed SMB Request 13
  Samba AndX Heap Buffer Overflow 1
  Malformed SMB Request 14
  Samba RPC Code Generator Remote Code Execution 1
  Malformed SMB Request 10
  Samba RPC Code Generator Remote Code Execution 2
  Windows Print Spooler Format String Attack 1
  Windows Print Spooler Format String Attack 2
  Malformed SMB Response 1
  Malformed SMB Response 2
  Sourcefire Snort rule20275eval Buffer Overflow
  Samba RPC Code Generator Remote Code Execution 4
  Samba Netlogon Remote Code Execution 2
  Windows SAM and LSAD Downgrade (MS16-047) 1
  Windows SAM and LSAD Downgrade (MS16-047) 2
  Windows LSASS DoS (MS16-137) 1
  Windows LSASS DoS (MS16-137) 2
  Windows SMB Tree Connect Response DoS 1
  Windows SMB Tree Connect Response DoS 2
  Windows SMB Remote Code Execution (MS17-010) 1
  Windows SMB Information Disclosure (MS17-010) 1
  Windows SMB Information Disclosure (MS17-010) 2
  Windows SMB Remote Code Execution (MS17-010) 2
  Windows SMB Remote Code Execution (MS17-010) 3
  Malformed SMB Response 3
  Samba Uploaded Shared Library Remote Code Execution 1
  Windows SMB Remote Code Execution (MS17-010) 5
  Samba Uploaded Shared Library Remote Code Execution 2
  Samba Uploaded Shared Library Remote Code Execution 3
  Windows SMB Information Disclosure (MAY 17)
  Windows SMB Remote Code Execution (MS17-010) 6
  Windows SMB Information Disclosure (MAY 17) 2
  Windows Print Spooler Remote Code Execution (CVE-2021-34527) 1
  Windows Print Spooler Remote Code Execution (CVE-2021-34527) 2
  Windows LSA Spoofing (CVE-2022-26925)
  Windows SMB Client Null Dereference DoS
  Windows SMB Transaction Response DoS (MS10-020)
  Windows SMB Client Remote Code Execution (MS10-020)
  Samba AndX Security Blob Length DoS 1
  Samba AndX Security Blob Length DoS 2
  Samba Flags2 Header DoS 1
  Samba Flags2 Header DoS 2
  Samba SID Parsing Buffer Overflow
  Samba call_trans2open Buffer Overflow
  Samba Write Request Information Disclosure
  Windows SMB Out-of-Bounds Read (OCT 17)
  Windows SMB Information Disclosure (OCT 17) 1
  Samba SMB1 Request Use-After-Free
  Samba SMB1 message_push_string Information Disclosure 1
  Samba spoolss Service DoS
  Samba SMB1 message_push_string Information Disclosure 2
  Microsoft Filter Manager Privilege Escalation (OCT 18)
  Windows SMB Remote Code Execution (FEB 19) 1
  Windows SMB Information Disclosure (MAR 19) 1
  Windows SMB Remote Code Execution (FEB 19) 2
  Samba Uploaded Shared Library Remote Code Execution 4
  Samba Uploaded Shared Library Remote Code Execution 5
  Windows SMBv3 Remote Code Execution (CVE-2020-0796) 1
  Windows SMBv3 Remote Code Execution (CVE-2020-0796) 2
  Windows SMBv3 Remote Code Execution (CVE-2020-0796) 3
  Windows SMBv3 Remote Code Execution (CVE-2020-0796) 4
  Windows SMBv3 DoS (CVE-2020-1284)
  Windows SMB Remote Code Execution (CVE-2020-1301) 1
  Windows SMB Remote Code Execution (CVE-2020-1301) 2
  Windows SMBv3 Information Disclosure (CVE-2020-1206) 1
  Windows SMBv3 Information Disclosure (CVE-2020-1206) 2
  Windows Netlogon Elevation of Privilege Vulnerability (CVE-2020-1472) 1
  Windows Netlogon Elevation of Privilege Vulnerability (CVE-2020-1472) 2
  Windows Netlogon Elevation of Privilege Vulnerability (CVE-2020-1472) 3
  Windows Netlogon Elevation of Privilege Vulnerability (CVE-2020-1472) 4
  Windows SMB Information Disclosure (CVE-2020-17140)
  Windows SMB Information Disclosure (CVE-2021-28325)


Relevant Information