ADVISORY
01-030.2
Update:
"Universal Plug and Play Vulnerabilities"
December 22, 2001
[Update
to NIPC Advisory 01-030 are in bold]
Summary:
This advisory
updates NIPC Advisory 01-030 regarding what Microsoft refers to
as a critical vulnerability in the universal plug and play (UPnP)
service in Windows XP, Millennium Edition (ME) and Windows 98
or Windows 98SE systems. This vulnerability could lead to denial
of service attacks and system compromise. Microsoft has released
a patch (Microsoft Security Bulletin 01-059) for this vulnerability
at the following site:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-059.asp
Additional
information can also be found at the following site:
eEye
Digital Security: http://www.eeye.com/html/Research/Advisories/AD20011220.html
Update:
On
Friday, December 21, 2001, the NIPC conducted technical discussions
with Microsoft Corporation and other partners in the Internet
and Information Security community to identify software and procedure
practices to minimize the risk from this vulnerability. The NIPC
recommends that users consider taking the following actions.
Home
Users:
Download
and install the patch described in Microsoft Security Bulletin
01-059.
For
additional security if you are not using the UPnP service, disable
it with the following steps:
In
Windows XP
1.
Click the "Start" button
2.
Go to the "Control Panel" tab and press it
3.
Go to the "Administrative Tools" folder and double click on
it
4.
Go to the "Services" icon and double click on it. It looks like
two gears interlocked with each other
5.
Scroll down until you see the "Universal Plug and Play Device
Host" service and double click on it
6.
A window will pop up with several tabs, on the "General" tab
there will be a field called "Startup Type"
7.
In the "Startup Type:" field change the option to "Disabled"
and click "Ok"
In
Windows Millennium Edition
1.
Click the "Start" Button
2.
Go to the "Control Panel under Settings and select Add/Remove
Programs
3.
Select the "Windows Set-up" Tab
4.
In the Components Field select "Communications"
5.
In that Components Field scroll down and uncheck the box to
the left of "Universal Plug and Play"
6.
Click "Ok"
In
Windows 98 and Windows 98 Second Edition
There
is no built-in UPnP support for these operating systems except
in the case of computers on which the Windows XP Internet Connection
Sharing client has been installed.
System
Administrators:
Download
and install the patch described in Microsoft Security Bulletin
01-059.
Monitor
and block ports 1900 and 5000. An increase in traffic on these
ports may indicate active scanning for this vulnerability. Also,
ensure that a policy is in place that restricts access to your
corporate network to those machines that have not yet been patched.
Set
the UPnP service settings to "Disable." By default this is set
to "Manual."
Systems Affected:
Windows
XP installs and runs UPnP by default.
Windows ME provides native support for UPnP, but it is neither
installed nor running by default.
Windows 98 and Windows 98SE only use UPnP when specifically installed
by the Internet Connection Sharing program.
Details:
UPnP is a
service that identifies and uses network-based devices. There
are two known vulnerabilities in the UPnP service. The first vulnerability
involves a buffer overflow in the UpnP service that could give
an attacker system or root level access. With this level of access,
an attacker could execute any commands and take any actions they
choose on the victim's computer.
The second
vulnerability is in the Simple Service Discovery Protocol (SSDP)
that allows new devices on a network to be recognized by computers
running UPnP by sending out a broadcast UDP packet. Attackers
can use this feature to send false UDP packets to a broadcast
address hosting vulnerable Windows systems. Once a vulnerable
system receives this message, it will respond to the spoofed originating
IP address. This can be exploited to cause a distributed denial
of service attack.
Another example
of this vulnerability is if an attacker spoofed an address that
had the character generator (chargen) service running. If a vulnerable
machine were to connect to the chargen service on a system, it
could become stuck in a loop that would quickly consume system
resources.
The NIPC
encourages recipients of this advisory to report computer intrusions
to their local FBI office http://www.fbi.gov/contact/fo/fo.htm
or the NIPC, and to other appropriate authorities. Recipients
may report incidents online at http://www.nipc.gov/incident/cirr.htm,
and can reach the NIPC Watch and Warning Unit at (202) 323-3205,
1-888-585-9078 or nipc.watch@fbi.gov
|