Skip to main content

CVE-1999-1222: Netbt.sys in Windows NT 4.0 allows remote malicious DNS servers to cause a denial of service (crash)

Medium
VulnerabilityCVE-1999-1222cve-1999-1222denial of service
Published: Fri Dec 31 1999 (12/31/1999, 05:00:00 UTC)
Source: NVD
Vendor/Project: microsoft
Product: windows_nt

Description

Netbt.sys in Windows NT 4.0 allows remote malicious DNS servers to cause a denial of service (crash) by returning 0.0.0.0 as the IP address for a DNS host name lookup.

AI-Powered Analysis

AILast updated: 07/01/2025, 11:42:05 UTC

Technical Analysis

CVE-1999-1222 is a medium-severity vulnerability affecting the Netbt.sys driver in Microsoft Windows NT 4.0. This vulnerability arises when the system performs DNS host name lookups and receives a response from a remote DNS server containing the IP address 0.0.0.0. The Netbt.sys driver, responsible for NetBIOS over TCP/IP functionality, does not properly handle this specific DNS response, leading to a denial of service (DoS) condition by causing the system to crash. The vulnerability is exploitable remotely without authentication, as an attacker controlling or spoofing a DNS server can send crafted DNS responses to trigger the crash. The CVSS v2 score is 5.0, reflecting a medium severity with network vector, low attack complexity, no authentication required, and impact limited to availability (system crash). There is no patch available for this vulnerability, and no known exploits have been reported in the wild. The affected product is Windows NT 4.0, an operating system released in the mid-1990s and long out of official support. The vulnerability specifically impacts the Netbt.sys component, which handles NetBIOS name resolution over TCP/IP, a protocol still used in legacy environments for network resource sharing and name resolution. Given the age of the affected system and lack of patch, this vulnerability remains a risk primarily in legacy or isolated environments where Windows NT 4.0 is still operational.

Potential Impact

For European organizations, the impact of this vulnerability is largely confined to legacy systems still running Windows NT 4.0, which are rare but may exist in industrial control systems, embedded devices, or legacy application environments. Successful exploitation results in a denial of service by crashing the affected system, potentially disrupting critical services relying on these legacy machines. This could lead to operational downtime, loss of availability of network resources, and increased recovery costs. Since the vulnerability does not affect confidentiality or integrity, the primary concern is availability. In environments where Windows NT 4.0 systems are integrated into larger networks, a DoS could cascade to affect dependent services or users. However, modern Windows versions and network infrastructure are not affected, limiting the scope of impact. European organizations with legacy infrastructure in sectors such as manufacturing, utilities, or government may face higher risk if these systems are exposed to untrusted DNS servers or external networks.

Mitigation Recommendations

Given the absence of an official patch, mitigation requires compensating controls. Organizations should isolate Windows NT 4.0 systems from untrusted networks, especially the internet, to prevent exposure to malicious DNS responses. Network segmentation and firewall rules should restrict DNS traffic to trusted internal DNS servers only. Employ DNS filtering or DNS security extensions (DNSSEC) where possible to validate DNS responses and block spoofed or malicious replies. Monitoring network traffic for anomalous DNS responses returning 0.0.0.0 can help detect exploitation attempts. Where feasible, plan and execute migration away from Windows NT 4.0 to supported operating systems to eliminate this and other legacy vulnerabilities. For legacy systems that must remain operational, consider virtualizing or sandboxing them to limit impact of crashes. Regular backups and incident response plans should be in place to recover quickly from potential DoS events.

Need more detailed analysis?Get Pro

Threat ID: 682ca32db6fd31d6ed7df606

Added to database: 5/20/2025, 3:43:41 PM

Last enriched: 7/1/2025, 11:42:05 AM

Last updated: 8/14/2025, 7:42:16 AM

Views: 13

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats