Re: CacheFlow external listerner 137/udp

["Shoten" <shoten () starpower net>]

Have you verified that the listener is interactive at all?  From what they
are saying, it merely fires back a response whenever it gets tickled.  I'm
pretty paranoid, but if all it does is notice when it gets contacted at all,
then I would not be enormously perturbed about it as a security viability.

On the flipside, however, I could see how it could be used for a bandwidth
amplification attack...you could always filter at the border router to block
UDP 137 if you're really bothered that much.


> An nmap scan of the outside of our new CachFlow OS 3.1.16 systems reveals
a process listening on port 137/udp. According to the vendor it "is open as
a workaround for older versions of IE that would not run Java applets until
name resolution for the server has occurred or timed out. CacheOS does not
use or support netbios.  The response sent to queries on this port are
static "canned" responses and is only sent to improve the responsiveness of
IE browsers using the Web Console."
> CacheFlow OS runs on the very well known x86 CPU instruction set which can
be dug into by anyone with the time to do so. Buffer overflow or other
vulnerabilities could exist. How to test? Using x86 assembler instructions
to perform intrusions?
> A UDP port 137 listener on the outside interface is a concern. We ask the
vendor for instructions how to turn it off. (No response yet.) We don't
administer the boxes from the outside.