Rule Category

NETBIOS -- Snort has flagged on traffic on the netbios protocol, which is used to share files across a local network.

Alert Message

NETBIOS MikroTik RouterOS buffer overflow attempt

Rule Explanation

This event is generated when an attacker attempts to exploit a buffer overflow vulnerability present in the MikroTik RouterOS NetBIOS service. Impact: Attempted User Privilege Gain Details: Rule checks for an attempt to exploit a buffer overflow vulnerability present in the Mikrotik RouterOS NetBIOS service. Ease of Attack: Medium

What To Look For

Known Usage

No public information

False Positives

No known false positives

Contributors

Cisco Talos Intelligence Group

MITRE ATT&CK Framework

Tactic:

Technique:

For reference, see the MITRE ATT&CK vulnerability types here: https://attack.mitre.org

CVE

Rule Vulnerability

CVE Additional Information

CVE-2018-7445
A buffer overflow was found in the MikroTik RouterOS SMB service when processing NetBIOS session request messages. Remote attackers with access to the service can exploit this vulnerability and gain code execution on the system. The overflow occurs before authentication takes place, so it is possible for an unauthenticated remote attacker to exploit it. All architectures and all devices running RouterOS before versions 6.41.3/6.42rc27 are vulnerable.
Details
Severity Base Score
Impact Score Exploit Score
Confidentiality Impact Integrity Impact
Availability Impact Access Vector
Authentication Ease of Access