Free Trial
Schedule Demo
Comments
Last week, Microsoft released several patches to address a vulnerability nicknamed “BadTunnel” that reportedly affects all versions (Desktop and Server) of Windows OS.
At a glance, BadTunnel is a vulnerability that, if exploited, could allow an attacker to hijack a victim’s network traffic remotely. What makes BadTunnel particularly worrisome is that it can be exploited across network boundaries (e.g. firewalls and NAT devices) instead of only being exploited inside a local area network.
Luckily the vulnerability is complex and requires some user involvement (e.g. visiting a malicious site or clicking on phishing email) in order for an exploit to succeed and certain WIndows services (e.g. NetBIOS over TCP/IP) to be running. Thankfully, Microsoft has provided patches for the current supported Windows versions and it is possible to disable certain Windows features that will mitigate the attack without greatly affecting a user’s utility or experience using Windows day-to-day.
The good news is that there are several ways Halo can help you defend your Windows server:
To build a Windows Firewall rule in Halo to defend against the known attack, add a new service (name it whatever you’d like, e.g. “BadTunnel”) and choose UDP for the protocol, 137 for the port, and DROP for the action:
It is also possible to write a Windows CSM policy to detect whether or not “NetBIOS over TCP/IP” is active by checking the following Registry Key:
HKEY_LOCAL_MACHINESystemCurrentControlSetServicesNetBTParametersInterfacesinterfaceGUID:NetbiosOptions. The value of 2 means NetBIOS over TCP/IP is disabled.
Customers running SVA scans against their Windows servers should see the vulnerability appearing in their reports.
After having scanned their servers the customer can use the CVE Reference Number Search Criteria in the Reports module to search for CVE-2016-3213.
Want to learn more about how you can keep your organization protected? Visit cloudpassage.com/demo or contact 800-215-7404.
