cancel
Showing results for 
Search instead for 
Did you mean: 

Exploitable NetBIOS Vulnerability

stu593
I Plan to Stick Around

Exploitable NetBIOS vulnerability and Rogers threat to deny internet access if not solved

 

Hello. Several days ago, I received a message (followed by a recorded voice mail) that "a device connected to your Rogers Internet is showing signs of an exploitable NetBIOS vulnerability".  My router's name and the port in question (137) were identified in the email message.

 

Since then, I have put several hours into the network trying to fix this problem. The router (a Synology) has been setup to deny ports 135-139 plus 445, in and out (my Rogers router/modem is in bridge mode). The router is also running the Synology Threat Prevention package and it up to date. The router software is also up to date. All the devices behind the router (PCs, NAS and Macs) have firewalls enabled. I have Sophos Home Premium as my security package for the devices. As I am aware that Windows has netBIOS enabled by default, I took the extra precaution of setting up each PC's firewall to block ports 135-139, in and out. I also disable NetBIOS and also disabled TCP/IP NetBIOS helper service on both PCs. I also setup my NAS firewall to block the NetBIOS ports (in and out) as I know that a NAS can sometimes be problematic. Lastly, I used the Fing app on my iPhone to test each device for any open ports and all devices came back showing that ports 135-139 were not open (this included some secondary routers in extension mode, smartphones and tablets).

 

When I test for open ports with ShieldsUp, the report comes back with all ports in Stealth mode, except ports 137-139 which are reported as closed, but NOT stealthed.  I worry that I wont pass Rogers test, since these ports are NOT in stealth mode. Any advice would be very, very much appreciated. Thank you in advance.

 

*** Edited Labels/Title ***

 

18 REPLIES 18

Re: Exploitable NetBIOS Vulnerability

RogersTony
Moderator
Moderator

Hello, @stu593 

 

I know how important it is to have any potential vulnerabilities resolved to ensure you are protected.

 

While I wish this was something we could assist you with directly, we are not trained to resolve these types of issues. We do have several Resident Experts that may be well equipped to assist you in finding a resolution to this matter. I will tag them into this post: @Datalink@Gdkitty@-G-

 

If there is anyone in the Community who has experience with how to resolve the NetBIOS vulnerability please feel free to chime in.

 

Cheers,

RogersTony

Re: Exploitable NetBIOS Vulnerability

I got the same message. I've even blocked that port on my Airport router (I'm in bridge mode). I've had the same setup here for years. So, not sure what they are seeing.

Re: Exploitable NetBIOS Vulnerability

Howard_1
I've Been Around
Same here. I have the Apple Airport extreme and I’ve been using it for years without any problems. Don’t know why am getting this now! Just updated the firmware and erased the built-in drive, but still receiving the same email from Rodgers. Considering buying the Netgear Orbi from Best Buy.

Re: Exploitable NetBIOS Vulnerability

Someone needs to escalate this issue to Rogers at a higher level. I've updated my apple router to the latest firmware, blocked the ports, and they are still complaining. This is new as of last week. Not sure what else I can do. 

Re: Exploitable NetBIOS Vulnerability

-G-
Resident Expert
Resident Expert

@RogersTony wrote:

While I wish this was something we could assist you with directly, we are not trained to resolve these types of issues. We do have several Resident Experts that may be well equipped to assist you in finding a resolution to this matter. I will tag them into this post: @Datalink@Gdkitty@-G-


I don't know what tools the Rogers Security team is using to scan for potentially exploitable network vulnerabilities or what they are specifically scanning for.  The Synology routers and Apple routers (AirPort and Time Capsules) have the ability to share disks and it's possible that resources are being shared on the WAN interface.  I would look at the router configurations and specifically look at what file or disk (or printer) sharing options are enabled.

 

I found a link on how to configure Synology routers to limit SMB access to LAN devices: https://www.synology.com/en-global/security/advisory/Precaution_for_a_PotentialSMBVulnerability

 

Here's another link for how to enable file sharing on the WAN interface on AirPort routers: https://discussions.apple.com/docs/DOC-3413

... so this is something that you need to make sure that you are NOT doing.

 

I also found the following Rogers links:

https://www.rogers.com/customer/support/article/information-regarding-your-rogers-internet-security-...

https://www.rogers.com/customer/support/article/rogers-terms-of-service-netbios-vulnerability

 

The netbios vulnerability page says that you can call 1-888-288-4663 for additional information.

 

If this security warning is not a false positive and you have done all that you can to restrict access to NetBIOS and SMB/CIFS services, then you might need to completely disable file/disk/printer sharing on your router.

Re: Exploitable NetBIOS Vulnerability

agj
I've Been Around

I received two emails and two phone calls about this issue on UDP port 137, one a week ago and one today. I have a Hitron coda-4582U modem in lock-down mode on High Security, and all devices after it are also protected. A port scan is coming back saying that there are no UDP ports open, and certainly that port 137 isn't open. 
Anyone any idea what I can do? I don't want to be cut off my Rogers.

Re: Exploitable NetBIOS Vulnerability

shamusom
I'm Here A Lot
I also received 2 emails and calls saying port 922 UDP was the issue. I was on the phone with 2 Rogers techs today and they couldn't figure it out or provide any useful information.

I did a factory reset of the Apple router and applied all latest firmware updates, closed the NetBIOS ports, and disabled all file sharing/WAN sharing on the router as well. The crazy thing is the techs can't scan right away to let you know if the issue is resolved. You have to wait until the next scan of the network -- whenever that is. So it's a guessing game.

Let's see if anyone else figures this out. They can't seem to provide any useful information to help resolve the issue. My network hasn't changed at all. This all seems to stem from scans starting last week. Seems I'm not the only one, hence this thread.

Re: Exploitable NetBIOS Vulnerability

stu593
I Plan to Stick Around

UPDATE:

So, it seems that having a closed port 137 doesn't seem to be sufficient to "pass" the Rogers test. I have just received a second email and a second voice mail today about port 137. 

 

Aside from ShieldsUp,  I have found this site (below) quite useful, with multiple tests, of which I passed all, except for one (although it just lists port 137 and doesn't indicate if it is closed or not). This site lists a multitude of sites and various tests and offers some good advice.

https://routersecurity.org/testrouter.php

 

In the interim, I am going to try and see if I can narrow down the problem to a specific device. My network has 3 Macs, 2 PCs, 4 tablets and 2 smartphones. I have been assuming that they were all OK, but I think that I will add them back to the network, one at a time, to see what happens. 

 

It would really help if Rogers would let us know what test they are using so that I can make changes on my end to make my home network as "bulletproof" as possible - as their concerns are shared by me 😀

 

As several of you have noted, when you call in to the Rogers techs, they are not able to test to see if any changes made on our end are creating a positive outcome. My fear is that I will keep on testing for the next several evenings and suddenly find myself without internet. I have been a very good client since 1991, but I sort of feel left to my own on this. I'll keep everyone posted. Thank you for your comments. 

Re: Exploitable NetBIOS Vulnerability

I've scanned all my ports and they all come back as Filtered. So, I'm not sure what Rogers is expecting either. They need to be clearer to customers exactly what they are expecting otherwise nobody will be able to figure out what they want. 

 

They were complaining that Port 922/UDP was the issue. When I scan it using a number of tools, it comes back as filtered which means the firewall is blocking it. 

 

What are other people getting? If they tell me what to close, I'll close it, but they are offering zero help on what to do. 

 

Screen Shot 2020-02-18 at 8.28.29 PM.png

 

Screen Shot 2020-02-18 at 8.10.14 PM.png

Re: Exploitable NetBIOS Vulnerability

stu593
I Plan to Stick Around

Great suggestions, which I will try. Thank you!

Re: Exploitable NetBIOS Vulnerability

stu593
I Plan to Stick Around
I"ll be exploring this most of tomorrow I think and I'll update if I find some sort of solution.

Re: Exploitable NetBIOS Vulnerability

The problem @stu593  is, we as customers, have no way to tell what we are doing works until we get another email from Rogers. What one tech told me today was, when you call in, you have to ask for the timestamp of the scan that generated the email -- because the scan could have happened before we apply this "possible" solutions. 

 

Rogers needs to give the customers more specific information if we are to resolve the issue -- especially if we scan the ports and see that they are closed. So, what is Rogers complaining about then?

Re: Exploitable NetBIOS Vulnerability

stu593
I Plan to Stick Around

I THINK THAT I HAVE A SOLUTION … MAYBE 

 

CAVEAT: I will know if this actually worked or not within the next couple of weeks - assuming that “not hearing” anything from Rogers by that time means that I ”passed" their network security test. 

 

My process - basically is a system of elimination with testing of all my devices (16) individually for port problems. There were several surprises in this voyage of discovery. Here is my process, which I have replicated here for those of you interested. Note: Some of you are quite advanced and will likely find this too detailed, but several people are not that familiar with some for these processes and I wanted to provide a bit of helpful guidance. I certainly found several problems which I managed to correct along the way and which have given me complete stealth (at least on the ShieldsUP site) on the most common ports of 1 to 1055 (ShieldsUP explains why they add some extra ports to come up with this number). 

 

  1. Secure one of your computers for testing without a router (in my case a MacBook Pro with firewall activated, all Apple updates installed etc. - this was my “test” computer). If you are using Windows, please don’t use Win7 to do this - use a more current version. I use Sophos Home Premium as my security suite (I am not recommending this package - there are problems with it from my perspective - but it is what I am using currently). Why do I suggest this step? Because you will need to test your router to see if it is the problem, or if it is something else. For what it’s worth, I plan on replicating this process using Windows 10 on a desktop PC at a later time. In the interim, maybe someone could provide feedback on section 6.4 below?
  2. Disconnect your home network from the internet. Turn off the wifi on your test computer and plug in a network cable between your Rogers modem/router and your test computer . Remove any additional network cables connected to your Rogers modem/router - you only want your “test computer” linked to the Rogers modem/router.
  3. Put your Rogers modem/router into bridge mode, if it is not already (see here on how to do this: https://www.rogers.com/customer/support/article/bridgemode-coda4582). This disables the router component in the Rogers modem/router, and allows you now to directly access the internet, without a router. If you have not secured your test computer ahead of time, you will likely regret this - just saying. You want to have all the Windows or Apple updates in place; a security suite running (not just AV, but also malware etc.); and the goal is to access a small number of web pages (i.e. “safe” router test sites, not some random dude’s site that may not be legit). The main site I used, that is considered by most as reputable, is ShieldsUp (it does have its detractors) here: https://www.grc.com/x/ne.dll?bh0bkyd2 . You don’t want to start surfing the internet at this point in time, with this suggested setup. Another site that I found useful, as it had gathered a plethora of links for testing in one page is here: https://routersecurity.org/testrouter.php. The author even has your current IP address linked into various test sites on his site.
  4. If you do not know your IP address or how to find it, do a Google search for "what is my ip" and Google will list your current IP address at the very top of the page, in a nice box that says "Your public IP address". You'll need to know this as many test sites will prompt you to enter your IP address. ShieldsUP will also tell you your IP address, note it on a piece of paper for future reference (I collected all my results and added the IP to each test result so that I would not get mixed up in my results). 
  5. Go to the ShieldsUp website. The first thing that you will notice is that your IP address has changed since you disconnected our router - this is normal, as Rogers sees your test computer as a new connection point into their network and assigns you a dynamic IP address. If you are actually paying Rogers for a static IP address, then the rest of these instructions may not apply (can anyone confirm this who has a static IP address?)
  6. At the ShieldsUp website do the following:
    1. Do the UPnP test (big orange button) - you should come back with a pass (all green), since you are not using a router  (do this test as some routers apparently still come with UPNP “on” by default - you can read all about the test results on the test page)
  7. Still on the ShieldsUP website, run the various file and port tests etc, but make sure to do this test:"All Service Ports" - depending on your OS, some ports will come back open. For me, here are the results that I got:
      1. Port 88 is open (Kerberos - Ticket System – part of Apple OS)
      2. Port 548 is open (AFPOVERTCP – part of Apple’s APF network protocol, is OK)
      3. Interesting discovery : ports 135 and 445 are “stealthed” by Rogers directly (no surprise really, both are major security holes for which an ISP would want to protect its customers from). So, in a way, you probably don’t need to block both those 2 specific ports within a Windows firewall for example, but I would go ahead and block ports 135-139 and 445 within all your Windows PCs, as those ports are very problematic when it comes to securing your devices.
      4. Q. What ports show up on Windows 8 and 10 PCs? Anyone care to test? I’ll check on my end eventually, but in the interim, if someone could provide this?
  8. Via ShieldsUP, test specifically the port(s) that Rogers has identified as problematic - for me, the email from them identified my problem port as 137 - my results using the test computer came back as all stealthed, perfect! Note: I was not however getting the same results when testing earlier with the Synology router in place (that is, prior to starting this suggested process) - port 137 was listed as "closed" (blue on the nice graphical interface of your test results from ShieldsUP) and not "stealthed" (green). I thought that being "closed" was OK, until I got a second warning from Rogers for that very port which was listed as "closed" by ShieldsUP. By deduction, it looks like all your results from ShieldsUP need to come back as "stealthed", or you will get another warning from Rogers eventually. 
  9. I then tested my test computer via a second test site that I discovered - one that seems to give similar results to what Rogers reports to you in your warning letter. Maybe its even the site that Rogers uses for it’s testing (this is an educated guess, deduced from looking at at the various results that came back from about a dozen different sites that test for port status  -  however, I could be totally wrong! ... but I got consistent results throughout this process)? I'll be reaching out to some of the Rogers resident experts for their opinions before I say anything else about this site.  At any rate, I got a message that my IP address was not found - perfect! BUT …The problem with the second test site results is that I seem to be getting the results from someone else’s IP before it was assigned to me, as the test results are dated from about 6 days ago. Is this why Rogers techs cannot confirm that a customer who worked on their issue has effectively “passed” the Rogers security test? Maybe … but I could be very wrong also - maybe Rogers developed its own in-house test. 
  10. So, now I know what are the Mac notebook shieldsUP results, and the test results from that second site (when I went back and tested the next day, I got results that were only about 15 minutes old - and those are the results that I have relied upon since they are very likely mine, given that the IP address was still the same) - and I can now proceed to the next step (I made sure to take lots of notes on the results and printed these out - I found this helpful and it avoided me getting confused with the many test results that I generated).
  11. I then re-connected the Synology router to the Rogers modem/router (still in bridge mode), and as expected, Rogers assigns a new IP address… and …  ShieldsUp reports port 137 closed, but not stealthed. Uh oh, not good!  As noted a bit earlier, this is a problem as I already got a second notice from Rogers identical to the first, a bit earlier this week. So, either something isn’t setup right with the router, or the router cannot actually stealth its closed ports (this was confirmed in later research).
  12. I then removed the cable connecting to the Synology modem since it is a problem (and to avoid a possible 3rd negative test and warning email by Rogers since I dont have a clue when the next test will be done - could be that very day) and proceeded with further testing of my other devices by adding them individually to my home network (which I am glad I did BTW, as you will read a bit later).
  13. Based on those results for the Synology router, I took the Rogers modem/router out of bridge mode (by doing a factory reset) and setup a wifi network. Of course, the original reason why I put the Synology router into place was because the Coda router has lousy Wifi signal in my residence (and I now had the very same issue again). I tested the Rogers modem/router via Shields up and everything came back stealthed. Perfect! I then tested with that second site (that I suspect Rogers uses possibly for testing) and the site reported that my IP address couldn’t be found. Perfect (For that 2nd testing site: I can only assume that if a site or IP address cannot be read, then it sends back a "not found' message which suggests that the IP is likely stealthed. If however a site can be read, this 2nd testing site appear to offer up the most recent report is has on file, and not the immediate test result as some of those test came back with dates from 2 to 6 days ago and some were from earlier today - this is just speculation on my part though, but the information offered on this 2nd site seems to corroborate this).
  14. I then setup the Synology router behind the Coda router to give access to the internet to my other devices. As expected, as the Synology is now behind the Rogers router, all my tests came back as stealthed or no IP detected.
  15. Added back to the home network an Apple AirPort Extreme (an old router I keep to extend the range of the Synology) and … what … port 135 is no longer reported as stealthed by ShieldsUP!. How is this possible given that Rogers appears to already stealth this port for its customers? And that anything behind a main router (the Rogers Coda) is supposed to be opaque to outside probes? I test using the second test site and no IP address can be found. This is weird, so I retest with ShieldsUP and the test results have changed - ShieldsUP reports that all ports are stealthed. What???
  16. I then tested an Airport Express hooked into my home theatre and sound system - and I get exactly the same results as with the Apple Extreme - port 135 is closed, but not stealthed. How is this possible? I redo the test and the results now show all ports are now stealthed and IP address not found by that second site. A wild guess here, somehow Rogers manages to stealth that port on the second try? I shouldn’t be concerned I guess, as the Rogers warning was for port 137and not port 135 (at least, I hope not).
  17. I then added in the remaining PCs and an older Mac to the home network (all with firewalls activated, ports 135-139 +445 blocked) - all ports stealthed and IP address still hidden, except for those connect to the Apple Extreme router (same results as in item 15).
  18. Added tablet and smartphone devices -  all ports remain stealthed and IP address still hidden. Ran Fing (app for smartphone - I really like this app) to check for open ports on all devices. All good.
  19. I don’t have time to figure out what is happening with those older Apple Routers - so I pulled them and replaced these with the Synology router and an extra switch box (ran out of ports on the Synology router) - I am assuming that all ports will remain stealthed and IP address still hidden. Confirmed by the test results.
  20. I decided NOT to test my NAS on the network, which is still being setup and well, because it is a Synology NAS and now I am quite leery of it - given my experience with the Synology router that is supposed to be locked down, but actually isn't (it's pretty buggy and many of the bugs I found were confirmed by others in 2 different Synology forums). What a waste of time, money and effort it feels like. 
  21. I decide to purchase a new router, which I expect to arrive in the next couple of days. I’ll put the Rogers modem/router at that time back into bridge mode and test that new router.
  22. I then wait and, if I hear nothing from Rogers in the next couple of weeks, I will assume then that I am in the clear. I will continue to monitor my network with that second site that I think Rogers may be using to test its network, and will update this page should my test results change. If I do not hear back from Rogers (I sure wish someone at Rogers could confirm at least, instead waiting on pins and needles), in other words I have  “passed", then even if that second site is not the correct one (maybe Rogers built its own test), that 2nd site would logically still serve as a secondary reference point for your own testing.

 Notes:

  1. Remember - You want the rest of your home network totally isolated from your test computer during this suggested process of elimination (For my home network, I left those old Apple routers in place as extenders for my home network. I left these running, so that I could do some printing on a report that I was working on, but the entire network was separated from the internet.). Since they were sitting behind my Synology router, and the Synology router was disconnected from the Rogers modem/router, I could continue running a local network, but without internet access. Wifi was not running at this point.
  2. Synology router fail: I have to say that having spent many hours reading and fine-tuning the Synology router, I have not been able to secure it. I thought that I had done a decent job when I first got it and I relied on a some very well done YouTube sites that had a series of lessons setup to walk you through the various functions and security settings. I spent hours watching and learning from those videos. What I can conclude is that Synology simply has some weird ways doing things (based on their unique SRM), especially the process for blocking ports - and even when you dig in and change settings, the built-in security advisor wizard tells you that you are still not secure, despite following the advisors instructions to the letter. So, you repeat the instructions, reboot (just in case) and … you get the same error messages. For me, this is a fail, as it tells me that I cannot trust this router. There are a lot of glowing statements about the security of the Synology router, but in my many hours spent trying to secure it, I found that many setup default settings were simply wrong or not activated (yikes) or really hard to find - if you trusted the defaults, then you would be in living with a very insecure router (firewall on is not a default setting, for example - this is another fail IMHO). With respect to port 137, checking with support and with other users, I discovered that all that router can do is block incoming and outbound port connects for ports 135-139 for example (those are problematic ports for security) but you cannot actually hide the port (i.e. when it is blocked via the Synology firewall, it still responds to outside probes and does not go silent like I expected). I would never have expected this, but both test sites I used clearly showed that I was wrong.
  3.  Rogers: Silence is golden they say, but I will have to live with the stress of not knowing immediately if my IP address is secured. I sort of resent this, as I really need my internet connection to gain a living and I really feel on my own here. I generally appreciate Rogers but I  think that Rogers could do a better job by offering some better resources (things to try besides running your AV software) to its customers. There should at least be some sort of FAQ page that would answer some of the basic questions that we need information on in order to figure out how to manage these cryptic emails. Maybe I should start a FAQ? Maybe this is the start of one? 

 

CONCLUDING REMARKS;

 

I basically spent 3 days full-time this week researching, learning and applying some of the stuff I learnt. There are a lot of opinions out there and I quickly learnt that just because someone had a strong and well-articulated opinion that it didn’t mean that they really knew what they were talking about - they might know some things very well but it was too narrow in scope, or they were too techie and couldn’t be bothered to better explain their expert advice. I can understand the latter point of view (“RTFM you lazy person”) but they weren’t nearly as helpful as they assumed they would be, IMHO.

 

The home consumer router business is a mess IMHO - while searching for a new router, I was quite interested in security this time around, as opposed to speed and other interesting functions. I narrowed down my choices to about 4-5 routers but while reading reviews, and now being a bit more knowledgeable about routers and security, I realized that consumers really do trust the router providers to offer users with at least a minimally safe setup. To the contrary, this is not the case and I was disheartened to see so many routers with default settings that were wrong, or had not been activated by default, or lacked security features that were essential in this online environment which so much now resembles a “digital war age”. In other words, some routers were being sold to trusting consumers who, if they weren’t so inclined (and that would include me normally) to learn a bit more about their devices, who expect their routers to be safe. So, in a strange way, Rogers is responsible with its cryptic warnings for pushing me to figure this out on my own and I don’t think that what I learnt will be wasted. I certainly am very far from being an expert, but I now know enough to ask better questions and to watch for certain minimal functions within a router that are essential to online safety.

 

Lastly, there are some very kind and helpful people out there and to them, even though we have never met, I say thank you for sharing your time, expertise and suggestions.

Re: Exploitable NetBIOS Vulnerability

alextsuk
I've Been Around

A few weeks ago I started receiving these exploitable NetBIOS vulnerability messages from Rogers (every Monday at the same time). After spending weeks and checking all possible devices at home, I found this forum and decided to use ShieldsUP! to test the Rogers modem for open ports. Found most of the ports closed, three open and just two stealth. I recalled that the Rogers messages started coming in after we replaced our previous apparently faulty Rogers modem with a new one that Rogers sent us by mail (not from a Rogers store). I decided to restore factory default settings of the modem from a computer, but it didn't work. I reset the modem at the back with a paper clip and only then managed to restore the factory settings from the computer. I ran the ShieldsUP! test again and got all the ports as stealth. After that I stopped receiving Rogers's messages.

In conclusion, it turned out that the Rogers's modem/router itself was triggering these annoying weekly messages with the claims that one of the internet-connected devices in our home was showing signs of an exploitable NetBIOS vulnerability and with the warnings that our internet service might be suspended. Rogers tests and the people running them were not able to pinpoint the source of the problem, which was their own modem. In addition, we found out that Rogers sent us a used modem without even bothering to restore the factory settings. 

I hope my comment would help other Rogers customers who have been receiving the exploitable NetBIOS vulnerability messages from the company.

 

Re: Exploitable NetBIOS Vulnerability

Can rogers spend $300 to get a synology NAS device from BestBuy and figure out why the false alarm?

Re: Exploitable NetBIOS Vulnerability

DHdh1
I've Been Around

alextsuk's post was spot on for me too!

"New" Rogers modem installed a few weeks ago and now I received a NetBIOS vulnerability email. On the phone Rogers claimed it couldn't have been caused by the modem, but that was the only new piece of hardware in the setup...

Ran a ShieldsUP! test to find very few ports were stealth and a few wide open! A hard reset of the Hiltron modem (10s hold with the pin button at the back) and now the ShieldsUP! test shows every port is in stealth.

This really needs to be included as part of the email or tech troubleshooting - step 1. 

Re: Exploitable NetBIOS Vulnerability

GS05
I've Been Around
In my case it was an iPhone that was not updated in a very long time

Re: Exploitable NetBIOS Vulnerability

I did the same thing with the same results, and it seems that (via ShieldsUP! reports) that my setup is in full 'stealth' mode now and hopefully this means that Rogers can stop telling me that I have a violation -- especially since it was based in THEIR "new" modem. Thank you for posting this information, @alextsuk .
Topic Stats
  • 18 replies
  • 6609 views
  • 8 Likes
  • 11 in conversation