What is CVE-2000-0673 vulnerability?
CVE-2000-0673 is a classic Denial of Service (DoS) vulnerability affecting the NetBIOS Name Server (NBNS) protocol in older versions of Microsoft Windows (Windows 2000 and NT 4.0).
While this vulnerability is over two decades old, it highlights a fundamental flaw in early network protocols: the lack of authentication. It allows a remote attacker to force a computer to drop its network name, effectively disconnecting it from local network services like file sharing and printing.
This page details the mechanics of this protocol abuse, its historical significance, and why blocking NetBIOS remains a critical security practice today.
CVE-2000-0673 is a NetBIOS Name Server Protocol Spoofing vulnerability.
The NetBIOS protocol is used by Windows computers to register and resolve names on a local network (e.g., mapping the name CEO-LAPTOP to an IP address). The flaw exists because the protocol accepts specific management packets—specifically "Name Conflict" or "Name Release" datagrams—without verifying the identity of the sender.
An attacker can spoof these packets to trick a target machine into believing its name is already in use by another computer. In response, the victim machine dutifully "releases" its name and stops responding to network requests, causing a Denial of Service.
When was it discovered?
The vulnerability was publicly disclosed on July 27, 2000. It was addressed by Microsoft in Security Bulletin MS00-047, released the same day.
Affected products & versions
This vulnerability primarily affects legacy Microsoft operating systems that rely heavily on NetBIOS over TCP/IP.
Product | Versions Affected | Fixed Versions |
Microsoft Windows 2000 | Professional, Server, Advanced Server | SP2 or MS00-047 |
Microsoft Windows NT | Version 4.0, Terminal Server | SP6a or MS00-047 |
CVE-2000-0673 technical description
The vulnerability abuses the NetBIOS Name Service, which operates on UDP port 137.
When a Windows machine joins a network, it broadcasts a "Name Registration" request. If another machine claims that name, it sends a negative response, and the new machine backs off.
In this attack, the target machine is already running. The attacker sends a spoofed Name Release or Name Conflict datagram directly to the target on UDP 137. The target's NBNS service receives this packet and interprets it as an authoritative command from the network indicating that its name is invalid or in conflict.
Because the protocol (by design in 2000) did not require authentication for these control packets, the target machine accepts the command and unregisters its name. It effectively becomes invisible to other computers on the network, breaking file sharing, printer access, and domain login capabilities.
Tactics, techniques & procedures (TTPs)
While not used for data theft, this technique was a popular tool for disruption and pranking in the early 2000s LAN parties and corporate networks.
Delivery: Sending UDP datagrams to port 137.
Exploitation: Tools (often simple C programs or scripts) generated spoofed "Conflict" packets targeting the victim's IP.
Impact: The victim sees a Windows system tray error: "The system detected a conflict for IP address..." and subsequently loses connectivity to SMB shares and other NetBIOS-dependent services.
Indicators of compromise
System Errors: Users report "Duplicate Name Exists on the Network" pop-up errors on their desktop.
Network Logs: Firewalls or sniffers showing unsolicited UDP traffic on port 137 coming from unexpected internal IPs.
Service Failure: Inability to access the machine by its hostname (e.g., \\FILESERVER), while access via raw IP address might still work temporarily.
Known proof-of-concepts & exploits
Exploit code for this vulnerability is trivial and has been public since 2000.
The attack does not require a complex buffer overflow; it simply requires crafting a standard NetBIOS packet with the "Release" flag set. This functionality was often included in "nuke" tools—simple denial-of-service applications popular in the late 90s and early 2000s.
How to detect CVE-2000-0673 vulnerability?
Port Scanning: Identify any legacy systems listening on UDP 137 (NetBIOS Name Service).
OS Fingerprinting: Vulnerability scanners will flag Windows 2000 or NT 4.0 systems that are missing the MS00-047 patch (though these systems are End-of-Life and universally vulnerable to newer exploits).
Impact & risk of CVE-2000-0673 vulnerability
The risk was Medium (CVSS 5.0) at the time of discovery.
The impact is limited to Availability. It does not allow remote code execution or privilege escalation. However, in a legacy environment where critical industrial or medical equipment might still run NT 4.0, a simple spoofed packet could disrupt operations without triggering advanced alarms.
Mitigation & remediation strategies
For modern environments, the mitigation is standard security practice:
Disable NetBIOS: Disable NetBIOS over TCP/IP on network adapters. Modern Windows networks use DNS for name resolution and do not require NBNS.
Block Port 137: Ensure your perimeter firewalls block UDP ports 137, 138 and TCP port 139. These ports should never be exposed to the internet.
Decommission Legacy OS: Remove Windows 2000 and NT 4.0 systems from the network. If they are required for legacy applications, isolate them in a strictly firewalled VLAN (air-gapped if possible).
[[FAQ]] CVE-2000-0673 Vulnerability FAQs
[[Q]] What is CVE-2000-0673 and how does it work?
[[A]] It is a vulnerability in the old NetBIOS protocol. An attacker can send a fake "Name Conflict" signal to a computer. The computer believes another machine has the same name and disconnects itself from the network to avoid trouble, causing a Denial of Service.
[[Q]] Is CVE-2000-0673 still a threat in 2025?
[[A]] Only to legacy systems. Modern Windows versions rely on DNS and are secure against this specific spoofing technique by default configuration. However, if you are still running Windows 2000 or NT 4.0, you remain vulnerable.
[[Q]] Can this vulnerability be used to hack into a computer?
[[A]] No. It is purely a Denial of Service (DoS) attack. It knocks the computer off the network but does not give the attacker access to files or the ability to run programs.
[[Q]] How do I fix this?
[[A]] The best fix is to disable NetBIOS over TCP/IP in your network adapter settings and rely on DNS for name resolution. If you must use legacy systems, firewall UDP port 137 to prevent attackers from sending the spoofed packets.
Protect What Matters
