IWS - The Information Warfare Site
News Watch Make a donation to IWS - The Information Warfare Site Use it for navigation in case java scripts are disabled

ADVISORY 01-030.2

Update: "Universal Plug and Play Vulnerabilities"
December 22, 2001

[Update to NIPC Advisory 01-030 are in bold]

Summary:

This advisory updates NIPC Advisory 01-030 regarding what Microsoft refers to as a critical vulnerability in the universal plug and play (UPnP) service in Windows XP, Millennium Edition (ME) and Windows 98 or Windows 98SE systems. This vulnerability could lead to denial of service attacks and system compromise. Microsoft has released a patch (Microsoft Security Bulletin 01-059) for this vulnerability at the following site:

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-059.asp

Additional information can also be found at the following site:

eEye Digital Security: http://www.eeye.com/html/Research/Advisories/AD20011220.html

Update:

On Friday, December 21, 2001, the NIPC conducted technical discussions with Microsoft Corporation and other partners in the Internet and Information Security community to identify software and procedure practices to minimize the risk from this vulnerability. The NIPC recommends that users consider taking the following actions.

Home Users:

Download and install the patch described in Microsoft Security Bulletin 01-059.

For additional security if you are not using the UPnP service, disable it with the following steps:

In Windows XP

1. Click the "Start" button

2. Go to the "Control Panel" tab and press it

3. Go to the "Administrative Tools" folder and double click on it

4. Go to the "Services" icon and double click on it. It looks like two gears interlocked with each other

5. Scroll down until you see the "Universal Plug and Play Device Host" service and double click on it

6. A window will pop up with several tabs, on the "General" tab there will be a field called "Startup Type"

7. In the "Startup Type:" field change the option to "Disabled" and click "Ok"

In Windows Millennium Edition

1. Click the "Start" Button

2. Go to the "Control Panel under Settings and select Add/Remove Programs

3. Select the "Windows Set-up" Tab

4. In the Components Field select "Communications"

5. In that Components Field scroll down and uncheck the box to the left of "Universal Plug and Play"

6. Click "Ok"

In Windows 98 and Windows 98 Second Edition

There is no built-in UPnP support for these operating systems except in the case of computers on which the Windows XP Internet Connection Sharing client has been installed.

System Administrators:

Download and install the patch described in Microsoft Security Bulletin 01-059.

Monitor and block ports 1900 and 5000. An increase in traffic on these ports may indicate active scanning for this vulnerability. Also, ensure that a policy is in place that restricts access to your corporate network to those machines that have not yet been patched.

Set the UPnP service settings to "Disable." By default this is set to "Manual."

Systems Affected:

Windows XP installs and runs UPnP by default.
Windows ME provides native support for UPnP, but it is neither installed nor running by default.
Windows 98 and Windows 98SE only use UPnP when specifically installed by the Internet Connection Sharing program.

Details:

UPnP is a service that identifies and uses network-based devices. There are two known vulnerabilities in the UPnP service. The first vulnerability involves a buffer overflow in the UpnP service that could give an attacker system or root level access. With this level of access, an attacker could execute any commands and take any actions they choose on the victim's computer.

The second vulnerability is in the Simple Service Discovery Protocol (SSDP) that allows new devices on a network to be recognized by computers running UPnP by sending out a broadcast UDP packet. Attackers can use this feature to send false UDP packets to a broadcast address hosting vulnerable Windows systems. Once a vulnerable system receives this message, it will respond to the spoofed originating IP address. This can be exploited to cause a distributed denial of service attack.

Another example of this vulnerability is if an attacker spoofed an address that had the character generator (chargen) service running. If a vulnerable machine were to connect to the chargen service on a system, it could become stuck in a loop that would quickly consume system resources.

The NIPC encourages recipients of this advisory to report computer intrusions to their local FBI office http://www.fbi.gov/contact/fo/fo.htm or the NIPC, and to other appropriate authorities. Recipients may report incidents online at http://www.nipc.gov/incident/cirr.htm, and can reach the NIPC Watch and Warning Unit at (202) 323-3205, 1-888-585-9078 or nipc.watch@fbi.gov

Links to Advisories 01-030, 01-030.1, and 01-030.3