Fidelis Cybersecurity
Fidelis Blog


How Halo can help combat the BadTunnel vulnerability

Last week, Microsoft released several patches to address a vulnerability nicknamed “BadTunnel” that reportedly affects all versions (Desktop and Server) of Windows OS.

At a glance, BadTunnel is a vulnerability that, if exploited, could allow an attacker to hijack a victim’s network traffic remotely. What makes BadTunnel particularly worrisome is that it can be exploited across network boundaries (e.g. firewalls and NAT devices) instead of only being exploited inside a local area network.

Luckily the vulnerability is complex and requires some user involvement (e.g. visiting a malicious site or clicking on phishing email) in order for an exploit to succeed and certain WIndows services (e.g. NetBIOS over TCP/IP) to be running. Thankfully, Microsoft has provided patches for the current supported Windows versions and it is possible to disable certain Windows features that will mitigate the attack without greatly affecting a user’s utility or experience using Windows day-to-day.

The good news is that there are several ways Halo can help you defend your Windows server:

  • Identify if you have the vulnerable software installed
  • Determine if you have the vulnerable services running
  • Implement a blocking firewall rule to prevent exploitation across your Halo-protected Windows servers

Building a firewall rule

To build a Windows Firewall rule in Halo to defend against the known attack, add a new service (name it whatever you’d like, e.g. “BadTunnel”) and choose UDP for the protocol, 137 for the port, and DROP for the action:


Halo Configuration Security Monitoring (CSM)

It is also possible to write a Windows CSM policy to detect whether or not “NetBIOS over TCP/IP” is active by checking the following Registry Key:

HKEY_LOCAL_MACHINESystemCurrentControlSetServicesNetBTParametersInterfacesinterfaceGUID:NetbiosOptions. The value of 2 means NetBIOS over TCP/IP is disabled.


Halo Software Vulnerability Assessments (SVA)

Customers running SVA scans against their Windows servers should see the vulnerability appearing in their reports.

After having scanned their servers the customer can use the CVE Reference Number Search Criteria in the Reports module to search for CVE-2016-3213.

Want to learn more about how you can keep your organization protected? Visit or contact 800-215-7404.

Stay up to date on all things security

Subscribe to the Threat Geek Blog