Re: CacheFlow external listerner 137/udp

From: Shoten (shotenat_private)
Date: Wed May 23 2001 - 13:00:01 PDT

  • Next message: Chris Tobkin: "RE: Re[2]: Crash IE with shell://:"

    Have you verified that the listener is interactive at all?  From what they
    are saying, it merely fires back a response whenever it gets tickled.  I'm
    pretty paranoid, but if all it does is notice when it gets contacted at all,
    then I would not be enormously perturbed about it as a security viability.
    
    On the flipside, however, I could see how it could be used for a bandwidth
    amplification attack...you could always filter at the border router to block
    UDP 137 if you're really bothered that much.
    
    
    > An nmap scan of the outside of our new CachFlow OS 3.1.16 systems reveals
    a process listening on port 137/udp. According to the vendor it "is open as
    a workaround for older versions of IE that would not run Java applets until
    name resolution for the server has occurred or timed out. CacheOS does not
    use or support netbios.  The response sent to queries on this port are
    static "canned" responses and is only sent to improve the responsiveness of
    IE browsers using the Web Console."
    >
    > CacheFlow OS runs on the very well known x86 CPU instruction set which can
    be dug into by anyone with the time to do so. Buffer overflow or other
    vulnerabilities could exist. How to test? Using x86 assembler instructions
    to perform intrusions?
    >
    > A UDP port 137 listener on the outside interface is a concern. We ask the
    vendor for instructions how to turn it off. (No response yet.) We don't
    administer the boxes from the outside.
    



    This archive was generated by hypermail 2b30 : Wed May 23 2001 - 15:10:45 PDT