IWS - The Information Warfare Site
News Watch Make a donation to IWS - The Information Warfare Site Use it for navigation in case java scripts are disabled

ADVISORY 01-030.1

Update: "Universal Plug and Play Vulnerabilities"
December 21, 2001

[Update to NIPC Advisory 01-030 are in bold]

Summary:

This advisory updates NIPC Advisory 01-030 regarding what Microsoft refers to as a critical vulnerability in the universal plug and play (UPnP) service in Windows XP, Millennium Edition (ME) or Windows 98 or Windows 98SE systems. This vulnerability could lead to denial of service attacks and system compromise. Microsoft has released a patch (Microsoft Security Bulletin 01-059) for this vulnerability at the following site:

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-059.asp

Additional information can also be found at the following site:

eEye Digital Security: http://www.eeye.com/html/Research/Advisories/AD20011220.html

Update:

On Friday, December 21, 2001, the NIPC conducted technical discussions with Microsoft Corporation and other partners in the Internet and Information Security community to identify software and procedure practices to minimize the risk from this vulnerability. The NIPC recommends that users consider taking the following actions.

Home Users:

Download and install the patch described in Microsoft Security Bulletin 01-059.

Set the UPnP service settings to "Disable." Home Users must log in as Administrator to alter this setting or have Administrator rights. The procedure is available in Microsoft Security Bulletin 01-059.

System Administrators:

Download and install the patch described in Microsoft Security Bulletin 01-059.

Monitor and block ports 1900 and 5000. An increase in traffic on these ports may indicate active scanning for this vulnerability.

Set the UPnP service settings to "Disable." By default this is set to "Manual."

Systems Affected:

  • Windows XP installs and runs UPnP by default.
  • Windows ME provides native support for UPnP, but it is neither installed nor running by default.
  • Windows 98 and Windows 98SE only use UPnP when specifically installed by the Internet Connection Sharing program.

Details:

UPnP is a service that identifies and uses network-based devices. There are two known vulnerabilities in the UPnP service. The first vulnerability involves a buffer overflow in the UPnP service that could give an attacker system or root level access. With this level of access, an attacker could execute any commands and take any actions they choose on the victim's computer.

The second vulnerability is in the Simple Service Discovery Protocol (SSDP) that allows new devices on a network to be recognized by computers running UPnP by sending out a broadcast UDP packet. Attackers can use this feature to send false UDP packets to a broadcast address hosting vulnerable Windows systems. Once a vulnerable system receives this message, it will respond to the spoofed originating IP address. This can be exploited to cause a distributed denial of service attack.

Another example of this vulnerability is if an attacker spoofed an address that had the character generator (chargen) service running. If a vulnerable machine were to connect to the chargen service on a system, it could become stuck in a loop that would quickly consume system resources.

The NIPC encourages recipients of this advisory to report computer intrusions to their local FBI office http://www.fbi.gov/contact/fo/fo.htm or the NIPC, and to other appropriate authorities. Recipients may report incidents online at http://www.nipc.gov/incident/cirr.htm, and can reach the NIPC Watch and Warning Unit at (202) 323-3205, 1-888-585-9078 or nipc.watch@fbi.gov

Links to Advisories 01-030, 01-030.2, and 01-030.3