Microsoft Security Bulletin MS00-073 - Critical
Patch Available for 'Malformed IPX NMPI Packet' Vulnerability
Published: October 11, 2000 | Updated: December 16, 2002
Originally posted: October 11, 2000
Microsoft has released a patch that eliminates a security vulnerability in Microsoft® Windows 95, Windows 98, 98 Second Edition and Windows Me. The vulnerability could be used to cause an affected system to fail, and depending on the number of affected machines on a network, potentially could be used to flood the network with superfluous data. The affected system component normally is present only if it has been deliberately installed.
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows 98 Second Edition
- Microsoft Windows Me
Vulnerability Identifier: CVE-2000-0980
The Microsoft IPX/SPX protocol implementation (NWLink) includes an NMPI (Name Management Protocol on IPX) listener that will reply to any requesting network address. The NMPI listener software does not filter the requesting computer's network address correctly, and will therefore reply to a network broadcast address. Such a reply would in turn cause other IPX NMPI listener programs to also reply. This sequence of broadcast replies could generate a large amount of unnecessary network traffic. A machine that crashed due to this vulnerability could be put back into service by rebooting.
IPX is not installed by default in Windows 98, 98 Second Edition, or Windows Me, and is only installed by default in Windows 95 if there is a network card present in the machine at installation time. Even when IPX is installed, a malicious user's ability to exploit this vulnerability would depend on whether he could deliver a malformed NMPI packet to an affected machine. Routers frequently are configured to drop IPX packets, and if such a router lay between the malicious user and an affected machine, he could not attack it. Routers on the Internet, as a rule, do not forward IPX packets, and this would tend to protect intranets from outside attack, as well as protecting machines connected to the Internet via dial-up connections. As discussed in the FAQ, the most likely scenario in which this vulnerability could be exploited would be one in which a malicious user on an intranet would attack affected machines on the same intranet, or one in which a malicious user on the Internet attacked affected machines on his cable modem or DSL subnet.
What's this bulletin about?
Microsoft Security Bulletin MS00-073 announces the availability of a patch that eliminates a vulnerability in Microsoft® Windows 95, 98, 98 Second Edition and Windows Me Edition. Microsoft is committed to protecting customers' information, and is providing the bulletin to inform customers of the vulnerability and what they can do about it.
What's the scope of the vulnerability?
This is a denial of service attack. A malicious user could use this vulnerability to cause an affected machine to fail and possibly cause a broadcast storm on the network.
The chief limitation on this vulnerability is that the affected system component is not installed by default on Windows 98 and later versions. Even if it was installed, the vulnerability could only be exploited in restricted circumstances. In a corporate setting, the vulnerability could only be exploited by a user who could log onto the network. In a home setting, the vulnerability could only be exploited if the machine was connected to the Internet via a cable modem or DSL connection, and the malicious user was on the same network segment as the affected machine. Neither Windows NT 4.0 nor Windows 2000 are affected by the vulnerability.
What causes the vulnerability?
The IPX NMPI (Netbios Name Management Port Interface) implementation in the affected systems will accept and process a specially-malformed packet sent to it, with potential consequences that could cause that machine to fail or possibly cause a broadcast storm.
IPX (Internetworked Packet Exchange, or, more properly, IPX/SPX - Internetworked Packet Exchange/Sequenced Packet Exchange) is a networking protocol popularized by Novell Netware. Windows platforms implement IPX through the NWLink feature, which allows Windows and Netware computers to communicate.
IPX is primarily used in small- to medium-sized networks, because it's routable and relatively efficient. It's typically not used in large networks because, under IPX, machines periodically send broadcast messages to announce their continued presence on the network. In large networks these messages can cause network congestion.
What is NMPI?
NMPI (Name Management Protocol on IPX) is a protocol that allows computers on a network to determine the names of other computers, in order to allow them to communicate with each other. Normally, Windows machines use a protocol called NetBIOS to perform name management. However, when using IPX, it's possible to improve the efficiency of data sharing through a technique known as direct hosting. In direct hosting, NMPI rather than NetBIOS is used for name management. Although NMPI isn't part of the IPX protocol, NMPI support is automatically enabled whenever IPX is installed on the machine, and can't be enabled except through IPX. That is, the only customers who could be affected by this vulnerability would be those who have IPX installed on their machines, and all customers with IPX installed would be affected.
Is this a problem in either the IPX or NMPI protocols?
No. The vulnerability has nothing to do with either protocol per se. It results because of an error in the NMPI implementation that causes it to mishandle a particular type of malformed request.
Is IPX installed by default?
In general, no. Windows 98, Windows 98 Second Edition, and Windows Me Edition do not install IPX by default. Windows 95 does install IPX by default if there is a plug-and-play network card present in the machine when the system is installed - however, at the time when most Windows 95 systems were installed, there were very few plug-and-play network cards available, so it is likely that IPX is not installed on most Windows 95 systems.
What's wrong with the malformed packet at issue here?
The vulnerability causes the affected systems to handle a received NMPI packet inappropriately if the source network address in the packet equals the destination address.
What do you mean by a network address?
Like most networking protocols, IPX provides the ability to send a packet to specific machines in the network by addressing it with the appropriate network address. In this vulnerability, however, the malicious user wouldn't send a malformed packet to the broadcast address - instead, he would provide the broadcast address as the source address.
What do you mean when you say that an affected system would handle such a packet inappropriately?
The broadcast address is clearly an invalid source address, and NWLink should simply drop such a packet when it receives it. Instead, it processes the packet, and, because of the malformation, responds to the entire network rather than to the requester.
What's the effect of responding to the entire network?
It would have two effects. First, it would cause the machine to respond to the "sender" of the NMPI packet - the broadcast address. That is, it would cause the machine to send a NMPI response to the entire network. This would require every machine that received it to process it. If a single machine sent a NMPI reply to the entire network, it might not have a significant effect on the overall network. However, the malicious user might not send the packet to a single machine. He might set the destination address, as well as the source address, to broadcast, in order to cause every affected machine within broadcast range to respond to the entire network. Depending on the number of affected machines on the network, this could create a "broadcast storm" that could significantly impede network operations.
To see why, consider a case in which there are ten machines on the network. The malicious user would initiate the attack by sending a single malformed NMPI packet to the broadcast address. Upon receiving the request, all ten machines would process it and reply to the broadcast address. Thus, by sending a single request, the malicious user would have succeeded in causing ten times as much traffic to be sent in response, and would have caused all ten machines to process the other machines' responses. Now consider the case where a thousand affected machines are on the network. In this case, a single malformed NMPI packet would cause a thousand responses. If the number of affected machines were sufficiently high, the attack could cause the network to be swamped with responses.
How long would the broadcast storm last?
It would be brief - first of all, because the responses wouldn't trigger any additional responses, and second because each affected machine would crash after seeing its response.
Who is at risk from this vulnerability?
Let's start with who's not at risk. If IPX isn't installed on the machine, the vulnerability can't affect it. Even if IPX were installed, a malicious user couldn't attack the machine via this vulnerability unless he could deliver a malformed NMPI packet to it.
Are Windows NT 4.0 and Windows 2000 affected by the vulnerability?
Who should use the patch?
Microsoft recommends that customers who have IPX enabled consider installing the patch.
What does the patch do?
The patch eliminates the vulnerability by causing NWLink to ignore NMPI requests containing the specific malformation at issue here.
Where can I get the patch?
The download location for the patch is provided in the "Patch Availability" section of the security bulletin .
How do I use the patch?
Knowledge Base article Q273727 contains detailed instructions for applying the patch.
How can I tell if I installed the patch correctly?
Knowledge Base article Q273727 provides a manifest of the files in the patch package.The easiest way to verify that you've installed the patch correctly is to verify that these files are present on your computer, and have the same sizes and creation dates as shown in the KB article.
What is Microsoft doing about this issue?
- Microsoft has delivered a patch that eliminates the vulnerability.
- Microsoft has provided a security bulletin and this FAQ to provide customers with a detailed understanding of the vulnerability and the procedure to eliminate it.
- Microsoft has sent copies of the security bulletin to all subscribers to the Microsoft Product Security Notification Service, a free e-mail service that customers can use to stay up to date with Microsoft security bulletins.
- Microsoft has issued a Knowledge Base article Q273727 explaining the vulnerability and procedure in more detail.
Where can I learn more about best practices for security?
The Microsoft TechNet Security web site is the best to place to get information about Microsoft security.
How do I get technical support on this issue?
Microsoft Product Support Services can provide assistance with this or any other product support issue.
Download locations for this patch
- Microsoft Windows 95
- Microsoft Windows 98 and 98 Second Edition
- Microsoft Windows Me
Additional information about this patch
Installation platforms: Please see the following references for more information related to this issue.
- Microsoft Knowledge Base (KB) article Q273727,
Support: This is a fully supported patch. Information on contacting Microsoft Product Support Services is available at http://support.microsoft.com/contactussupport/?ws=support.
Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.
The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
- October 11, 2000: Bulletin Created.
- January 16, 2001: Update to Patch Availability section.
- April 13, 2001: Update Windows 95 patch availability.
- December 16, 2002: Update to Patch Availability section.
Built at 2014-04-18T13:49:36Z-07:00