----- Original Message ----- From: "X-Force" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, December 20, 2001 3:24 PM Subject: ISSalert: ISS Security Alert: Multiple Vulnerabilities in Universal Plug and Play Service
| | TO UNSUBSCRIBE: email "unsubscribe alert" in the body of your message to | [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems! | -------------------------------------------------------------------------- - | | -----BEGIN PGP SIGNED MESSAGE----- | | Internet Security Systems Security Alert | December 20, 2001 | | Multiple Vulnerabilities in Universal Plug and Play Service | | | Synopsis: | | ISS X-Force is aware of multiple vulnerabilities with the Universal Plug and | Play Service (UPnP) included with several Microsoft Windows operating systems. | UPnP is a protocol that allows network devices to broadcast self-describing | messages for peer-to-peer integration into a network. Two vulnerabilities are | present in UPnP. A buffer overflow exists in the Windows XP implementation of | the Simple Service Discovery Protocol (SSDP) component of UPnP. Another more | generic Distributed Denial of Service (DDoS) or Denial of Service (DOS) risk | exists within SSDP as well and affects multiple versions of the operating | system. | | Affected Versions: | | Windows XP | Windows ME | Windows 98SE | Windows 98 | | Description: | | A remotely exploitable buffer overflow exists in the UPnP service of Windows | XP. A malicious user can transmit a malformed NOTIFY request to a vulnerable | machine and overflow an unchecked buffer in the UPnP service. This service | runs in the SYSTEM context under Windows XP and can result in a full system | compromise, allowing the attacker to gain control of the affected machine. | | A condition also exists in the implementation of SSDP that could lead to a | DOS or DDoS attack by transmitting a malformed NOTIFY directive at a targeted | machine or group of machines. The targets can be forced to endlessly transmit | HTTP requests to a final target. | | Recommendations: | | Internet firewalls should be configured to block ports 1900 and 5000. | | ISS RealSecure intrusion detection customers may use the following connection | event to detect access attempts by the UPnP Overflow. Follow the instructions | below to apply the connection event to your policy. | | 1. Choose a policy you want to use, and click 'Customize'. | 2. Select the 'Connection Events' tab. | 3. Click 'Add' on the right hand side of the dialog box. | 4. Create a Connection Event | 5. Type in a name of the event, such as 'UPnP Overflow'. | 6. In the 'Response' field for the event, select the responses you want to | use. | In the 'Protocol' field, select UDP | In the 'Dest Port/Type' field click the pull down box and create an entry | for UDP port 1900: | a. Click 'Add' | b. Select UDP Protocol | c. Name the service 'UPnP Overflow' | d. Use 1900 for the port number | e. Click 'OK' | f. Select the entry just created | 7. Save changes and close the window. | 8. Click 'Apply to Sensor' or 'Apply to Engine' depending on the version of | RealSecure you are using. | | A connection event is now created with any address/port and any destination address looking for a UDP request on port 1900. Every network is different so it is possible to make entries for each vulnerable host on your network instead of using the above c | onnection event. | | Contact ISS Technical Support for more specific help on this matter. | | Users of ISS BlackICE products in Trusting or Cautious mode can configure | themselves to protect themselves from this attack: | 1. Select 'Tools' and click 'Advanced Firewall Settings' | 2. Click 'Add' to add a new rule. | 3. Name the rule 'UPnP Overflow' | 4. Select 'All Addresses' | 5. Type in Port 1900 into the Ports field | 6. Select Type UDP | 7. Select Mode Reject | 8. Select Duration Forever | 9. Click 'Add' | | BlackICE users in Nervous or Paranoid mode will be protected against the | attack and do not need to add a rule. | | An Internet Scanner FlexCheck will be available soon to detect this | vulnerability. The FlexCheck will be available at the following URL: | https://www.iss.net/cgi-bin/download/customer/download_product.cgi | | Patches from Microsoft Corporation are available at the following locations: | | Microsoft Windows 98/98SE: | http://www.microsoft.com/Downloads/Release.asp?ReleaseID=34991 | | Microsoft Windows ME: | http://download.microsoft.com/download/winme/Update/22940/WinMe/EN-US/314757 USAM.EXE | | Microsoft Windows XP: | http://www.microsoft.com/Downloads/Release.asp?ReleaseID=34951 | | Additional Information: | | eEye Digital Security Advisory: | http://www.eeye.com/html/Research/Advisories/AD20011220.html | | Microsoft Security Bulletin: | http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/ bulletin/MS01-059.asp | | Credits: | | This vulnerability was discovered and researched by eEye Digital Security. | ______ | | About Internet Security Systems (ISS) | Internet Security Systems is a leading global provider of security | management solutions for the Internet, protecting digital assets and | ensuring safe and uninterrupted e-business. With its industry-leading | intrusion detection and vulnerability assessment, remote managed | security services, and strategic consulting and education offerings, ISS | is a trusted security provider to more than 9,000 customers worldwide | including 21 of the 25 largest U.S. commercial banks, the top 10 U.S. | telecommunications companies, and all major branches of the U.S. Federal | Government. Founded in 1994, ISS is headquartered in Atlanta, GA, with | additional offices throughout North America and international operations | in Asia, Australia, Europe, Latin America and the Middle East. For more | information, visit the Internet Security Systems web site at www.iss.net | or call 888-901-7477. | | Copyright (c) 2001 Internet Security Systems, Inc. All rights reserved | worldwide. | | Permission is hereby granted for the redistribution of this Alert | electronically. It is not to be edited in any way without express | consent of the X-Force. If you wish to reprint the whole or any part | of this Alert in any other medium excluding electronic medium, please | e-mail [EMAIL PROTECTED] for permission. | | Disclaimer | | The information within this paper may change without notice. Use of this | information constitutes acceptance for use in an AS IS condition. There | are NO warranties with regard to this information. In no event shall the | author be liable for any damages whatsoever arising out of or in | connection with the use or spread of this information. Any use of this | information is at the user's own risk. | | X-Force PGP Key available at: http://xforce.iss.net/sensitive.php as | well as on MIT's PGP key server and PGP.com's key server. | | Please send suggestions, updates, and comments to: X-Force | [EMAIL PROTECTED] of Internet Security Systems, Inc. | | | | | | -----BEGIN PGP SIGNATURE----- | Version: 2.6.3a | Charset: noconv | | iQCVAwUBPCJWzjRfJiV99eG9AQFWBwP/fxKixqTgyJqoAoX6vXNS3j3DSNY1gslh | O2Y8hVeYXCQ8d3/uSMq5ktlmbM0tQeFpvGeIKOWNyjpxddm9GafBcWXK+zmiT/Re | yO7j5dmK0ziu2lDvF9z3AZszqGSWvPDNV+oK0B9hRMrQGPT4tfupqL/r53TlTTjA | N7a6C73T1jY= | =A4Qk | -----END PGP SIGNATURE----- | | --------------------------------------------------------- Archived messages from this list can be found at: http://www.mail-archive.com/tech-cord@aea5.k12.ia.us/ ---------------------------------------------------------