-----Original Message----- From: NIPC Watch To: Daily Distribution Sent: 1/2/02 4:03 PM Subject: Advisory 01-030.3 Importance: High National Infrastructure Protection Center "Universal Plug and Play Vulnerabilities" Advisory 01-030.3 02 January 2002 Summary: This advisory updates NIPC Advisory 01-030 regarding what Microsoft refers to as critical vulnerabilities in the Universal Plug and Play (UPnP) service in Windows XP, Millennium Edition (ME), and Windows 98 or 98SE systems. These vulnerabilities could lead to denial of service attacks and separately to system compromises. Since the discovery of these vulnerabilities by eEye Digital Security, Microsoft Corporation has released a software patch and a detailed security bulletin regarding the problem, its resolution using their patch, as well as instructions to disable the UPnP service if patch installation is impracticable. NIPC recommends that affected users install the Microsoft patch. In the view of the Computer Emergency Response Team (CERT/CC) at Carnegie Mellon University and NIPC as well as Microsoft Corporation this patch corrects the problem that could lead to system compromise and affords substantial and adequate protection from the vulnerability that could lead to denial of service attacks. The NIPC wishes to thank Microsoft Corporation and CERT/CC for their diligence in the investigation and technical description of these vulnerabilities during the holiday period just past. The software patch and latest version of the Microsoft Security Bulletin (updated on 31 December) is available at: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secur ity/bulletin/MS01-059.asp Systems Affected: . Windows XP installs and runs UPnP by default. . Windows ME provides native support for UPnP, but it is neither installed nor running by default. . Windows 98 and 98SE only use UPnP when specifically installed by the Internet Connection Sharing program. Details: UPnP is a service that identifies and uses network-based devices. There are two known vulnerabilities in the UPnP service. The first vulnerability involves a buffer overflow in the UPnP service that could give an attacker system or root level access. With this level of access, an attacker could execute any commands and take any actions they choose on the victim=s computer. The second vulnerability is in the Simple Service Discovery Protocol (SSDP) that allows new devices on a network to be recognized by computers running UPnP by sending out a broadcast UDP packet. Attackers can use this feature to send false UDP packets to a broadcast address hosting vulnerable Windows systems. Once a vulnerable system receives this message, it will respond to the spoofed originating IP address. This can be exploited to cause a distributed denial of service attack. Another example of this vulnerability is if an attacker spoofed an address that had the character generator (chargen) service running. If a vulnerable machine were to connect to the chargen service on a system, it could become stuck in a loop that would quickly consume system resources. The NIPC encourages recipients of this alert to report computer intrusions to their local FBI office http://www.fbi.gov/contact/fo/fo.htm or the NIPC, and to other appropriate authorities. Recipients may report incidents online at http://www.nipc.gov/incident/cirr.htm, and can reach the NIPC Watch and Warning Unit at (202) 323-3205, 1-888-585-9078 or nipc.watch@private
This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:38:13 PDT