[SID: 21802] SMB Server Transaction Name BO Detected

Today was an interesting day. The UPS on the HP EVA and Blade rack decided to have an issue and Mac clients were unable to connect to SMB shares. I spent the morning engaged in trying to figure out why certain Macs were unable to connect. They would get prompted for a password… then fail to connect. After that they could not ping or do a traceroute to the SMB server. I asked the folks supporting our network switches to take a look.

Then while checking to ensure we did not have any issues with the switches from a physical standpoint (visual inspection) I noticed that the UPS supporting our blade servers and HP San was showing an error light. Reporting that issue took two and a half hours, and took me away from the Mac issue.

Upon finally being able to get my messages from the several phone calls that were missed while I was on the phone with HP. In my first message I found out that the network guys had done some packet tracing and found that the server was not responding to the Mac clients that were having the issue. This prompted me to start looking at SEP 11 to see if Symantec was causing an issue.

“Traffic from IP Address 000.00.0.000 is blocked from 10/22/2009 3:09:553 pm to 10/22/2009 3:19:53 pm.  [SID: 21802] SMB Server Transaction Name BO Detected”

1800+ messages like the one above littered the log files. The 000.00.0.000 is what it actually read; there are no protected innocent IP addresses. Did we find a Mac virus that caused problems with SMB? We did a Google search and found only and explantion of this ‘detection’.

Severity: High
This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Microsoft Windows is prone to a remote denial-of-service vulnerability because the operating system fails to properly handle network traffic.

This issue is triggered by specially crafted TCP network packets with destination ports set to 445 or 139. This occurs when SMV_COM_TRANSACTION messages with a non-NULL-terminated are sent to vulnerable computers. The malformed SMB PIPE traffic causes a NULL-pointer dereference in the ‘srv.sys’ server driver, resulting in denial-of-service conditions.

This issue may cause affected computers to crash, denying service to legitimate users. Code execution is reportedly not possible, but this has not been confirmed.

Reports indicate that this issue may be currently exploited in the wild, but this has not been confirmed.”

What was odd is that not all of our Macs were affected, just the ones running 10.5.8. I have a machine running 10.6.2 and there was no issue with it. The pattern of hits on the intrusion detection started with a small number and grew throughout the day. It looked like a malware pattern, but it could have been just more users trying to connect. We decided to submit the packet captures to Symantec. While one of us were on hold with Symantec I found the following information:

“This is a known false positive. Symantec Support is asking users that are seeing this issue to open a case ASAP.”

We waited for confirmation from Symantec that it was indeed a false positive and with it confirmed took steps to mitigate the issue. I just have to love anti-virus/malware companies that have products that actually cause a denial of service attack while claiming to prevent one.

Some questions still linger:

  1. Why would a OS X connection match this ‘signature’?
  2. Why would OS X 10.5.8 be different from 10.6.2?

Joy!

That, my friends, is why I use Ubuntu at home.

This entry was posted in Miscellaneous. Bookmark the permalink.

5 Responses to [SID: 21802] SMB Server Transaction Name BO Detected

  1. Pingback: Charles Profitt: [SID: 21802] SMB Server Transaction Name BO Detected | TuxWire : The Linux Blog

  2. Pingback: uberVU - social comments

  3. Pingback: [SID: 21802] SMB Server Transaction Name BO Detected « Free Trader … | Mac Affinity

  4. uphnpfbh says:

    r2DkAu zhqrdqwitxtg, [url=http://qpbykyhizftb.com/]qpbykyhizftb[/url], [link=http://tezisiibcoju.com/]tezisiibcoju[/link], http://mggoddmmmstg.com/

  5. Are you a writer? Do you write for any other blogs? Nicely done, Steven.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s