SMB: Remote Registry Request DoS
The anomaly detects a suspiciously large registry key in the OpenKey function executed using a named-pipe transaction. Large key sizes in the OpenKey function can cause the winlogon.exe process in Window NT 4.0 to crash. The key size to trigger this attack can be configured in the sensor settings of the policy.
Extended Description
In special circumstances while handling requests to access the Remote Registry Server, Windows NT 4.0 can crash due to winlogon.exe's inability to process specially malformed remote registry requests. Rebooting the machine would be required in order to regain normal functionality. Only authenticated users on the network would be able to exploit this vulnerability. If Windows NT was configured to deny all remote registry requests, it would not be affected by this vulnerability under any conditions.
Affected Products
Microsoft windows_nt
Short Name
SMB:EXPLOIT:REGISTRY-DOS
Severity
Critical
Recommended
False
Recommended Action
None
Category
SMB
Keywords
CVE-2000-0377 MS00-040 bid:1331 dos registry remote smb
Release Date
01/29/2004
Supported Platforms
srx-branch-12.3
srx-19.3
srx-branch-19.3
vsrx3bsd-19.2
srx-branch-19.4
vsrx-19.4
mx-12.3
mx-19.4
vmx-19.4
mx-19.3
vsrx3bsd-19.4
srx-19.4
vsrx-12.3
vmx-19.3
vsrx-19.2
srx-12.3
Sigpack Version
3336
False Positive
Unknown
Vendors
Microsoft
CVSS Score
5.0