Exploitable NetBIOS Vulnerability

Need Help?

That's what we're here for! The goal of the Rogers Community is to help you find answers on everything Rogers. Can't find what you're looking for? Just ask!
cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
Highlighted
I Plan to Stick Around
Posts: 10

Exploitable NetBIOS Vulnerability

Exploitable NetBIOS vulnerability and Rogers threat to deny internet access if not solved

 

Hello. Several days ago, I received a message (followed by a recorded voice mail) that "a device connected to your Rogers Internet is showing signs of an exploitable NetBIOS vulnerability".  My router's name and the port in question (137) were identified in the email message.

 

Since then, I have put several hours into the network trying to fix this problem. The router (a Synology) has been setup to deny ports 135-139 plus 445, in and out (my Rogers router/modem is in bridge mode). The router is also running the Synology Threat Prevention package and it up to date. The router software is also up to date. All the devices behind the router (PCs, NAS and Macs) have firewalls enabled. I have Sophos Home Premium as my security package for the devices. As I am aware that Windows has netBIOS enabled by default, I took the extra precaution of setting up each PC's firewall to block ports 135-139, in and out. I also disable NetBIOS and also disabled TCP/IP NetBIOS helper service on both PCs. I also setup my NAS firewall to block the NetBIOS ports (in and out) as I know that a NAS can sometimes be problematic. Lastly, I used the Fing app on my iPhone to test each device for any open ports and all devices came back showing that ports 135-139 were not open (this included some secondary routers in extension mode, smartphones and tablets).

 

When I test for open ports with ShieldsUp, the report comes back with all ports in Stealth mode, except ports 137-139 which are reported as closed, but NOT stealthed.  I worry that I wont pass Rogers test, since these ports are NOT in stealth mode. Any advice would be very, very much appreciated. Thank you in advance.

 

*** Edited Labels/Title ***

 

Highlighted
Moderator
Moderator
Posts: 826

Re: Exploitable NetBIOS Vulnerability

Hello, @stu593 

 

I know how important it is to have any potential vulnerabilities resolved to ensure you are protected.

 

While I wish this was something we could assist you with directly, we are not trained to resolve these types of issues. We do have several Resident Experts that may be well equipped to assist you in finding a resolution to this matter. I will tag them into this post: @Datalink@Gdkitty@-G-

 

If there is anyone in the Community who has experience with how to resolve the NetBIOS vulnerability please feel free to chime in.

 

Cheers,

RogersTony

Highlighted
I'm Here A Lot
Posts: 6

Re: Exploitable NetBIOS Vulnerability

I got the same message. I've even blocked that port on my Airport router (I'm in bridge mode). I've had the same setup here for years. So, not sure what they are seeing.
Highlighted
I've Been Around
Posts: 1

Re: Exploitable NetBIOS Vulnerability

Same here. I have the Apple Airport extreme and I’ve been using it for years without any problems. Don’t know why am getting this now! Just updated the firmware and erased the built-in drive, but still receiving the same email from Rodgers. Considering buying the Netgear Orbi from Best Buy.
Highlighted
I'm Here A Lot
Posts: 6

Re: Exploitable NetBIOS Vulnerability

Someone needs to escalate this issue to Rogers at a higher level. I've updated my apple router to the latest firmware, blocked the ports, and they are still complaining. This is new as of last week. Not sure what else I can do. 

Highlighted
Resident Expert
Resident Expert
Posts: 712

Re: Exploitable NetBIOS Vulnerability


@RogersTony wrote:

While I wish this was something we could assist you with directly, we are not trained to resolve these types of issues. We do have several Resident Experts that may be well equipped to assist you in finding a resolution to this matter. I will tag them into this post: @Datalink@Gdkitty@-G-


I don't know what tools the Rogers Security team is using to scan for potentially exploitable network vulnerabilities or what they are specifically scanning for.  The Synology routers and Apple routers (AirPort and Time Capsules) have the ability to share disks and it's possible that resources are being shared on the WAN interface.  I would look at the router configurations and specifically look at what file or disk (or printer) sharing options are enabled.

 

I found a link on how to configure Synology routers to limit SMB access to LAN devices: https://www.synology.com/en-global/security/advisory/Precaution_for_a_PotentialSMBVulnerability

 

Here's another link for how to enable file sharing on the WAN interface on AirPort routers: https://discussions.apple.com/docs/DOC-3413

... so this is something that you need to make sure that you are NOT doing.

 

I also found the following Rogers links:

https://www.rogers.com/customer/support/article/information-regarding-your-rogers-internet-security-...

https://www.rogers.com/customer/support/article/rogers-terms-of-service-netbios-vulnerability

 

The netbios vulnerability page says that you can call 1-888-288-4663 for additional information.

 

If this security warning is not a false positive and you have done all that you can to restrict access to NetBIOS and SMB/CIFS services, then you might need to completely disable file/disk/printer sharing on your router.



Highlighted
I've Been Around
Posts: 1

Re: Exploitable NetBIOS Vulnerability

I received two emails and two phone calls about this issue on UDP port 137, one a week ago and one today. I have a Hitron coda-4582U modem in lock-down mode on High Security, and all devices after it are also protected. A port scan is coming back saying that there are no UDP ports open, and certainly that port 137 isn't open. 
Anyone any idea what I can do? I don't want to be cut off my Rogers.

Highlighted
I'm Here A Lot
Posts: 6

Re: Exploitable NetBIOS Vulnerability

I also received 2 emails and calls saying port 922 UDP was the issue. I was on the phone with 2 Rogers techs today and they couldn't figure it out or provide any useful information.

I did a factory reset of the Apple router and applied all latest firmware updates, closed the NetBIOS ports, and disabled all file sharing/WAN sharing on the router as well. The crazy thing is the techs can't scan right away to let you know if the issue is resolved. You have to wait until the next scan of the network -- whenever that is. So it's a guessing game.

Let's see if anyone else figures this out. They can't seem to provide any useful information to help resolve the issue. My network hasn't changed at all. This all seems to stem from scans starting last week. Seems I'm not the only one, hence this thread.
Highlighted
I Plan to Stick Around
Posts: 10

Re: Exploitable NetBIOS Vulnerability

UPDATE:

So, it seems that having a closed port 137 doesn't seem to be sufficient to "pass" the Rogers test. I have just received a second email and a second voice mail today about port 137. 

 

Aside from ShieldsUp,  I have found this site (below) quite useful, with multiple tests, of which I passed all, except for one (although it just lists port 137 and doesn't indicate if it is closed or not). This site lists a multitude of sites and various tests and offers some good advice.

https://routersecurity.org/testrouter.php

 

In the interim, I am going to try and see if I can narrow down the problem to a specific device. My network has 3 Macs, 2 PCs, 4 tablets and 2 smartphones. I have been assuming that they were all OK, but I think that I will add them back to the network, one at a time, to see what happens. 

 

It would really help if Rogers would let us know what test they are using so that I can make changes on my end to make my home network as "bulletproof" as possible - as their concerns are shared by me 😀

 

As several of you have noted, when you call in to the Rogers techs, they are not able to test to see if any changes made on our end are creating a positive outcome. My fear is that I will keep on testing for the next several evenings and suddenly find myself without internet. I have been a very good client since 1991, but I sort of feel left to my own on this. I'll keep everyone posted. Thank you for your comments. 

Highlighted
I'm Here A Lot
Posts: 6

Re: Exploitable NetBIOS Vulnerability

I've scanned all my ports and they all come back as Filtered. So, I'm not sure what Rogers is expecting either. They need to be clearer to customers exactly what they are expecting otherwise nobody will be able to figure out what they want. 

 

They were complaining that Port 922/UDP was the issue. When I scan it using a number of tools, it comes back as filtered which means the firewall is blocking it. 

 

What are other people getting? If they tell me what to close, I'll close it, but they are offering zero help on what to do. 

 

Screen Shot 2020-02-18 at 8.28.29 PM.png

 

Screen Shot 2020-02-18 at 8.10.14 PM.png