Re: Microsoft MS01-059, Universal Plug-n-Play vulnerability.

From: Doug (crewchief@airshow.net)
Date: 12/21/01 

Date: Fri, 21 Dec 2001 16:55:37 -0500
From: Doug <crewchief@airshow.net>
To: Mark Medici <mark@dbma.com>, focus-ms@securityfocus.com

I read a eEye write-up on the vulnerability that gives the ports to block
and other actions to take. See
http://www.eete.com/html/Research/Advisories/AD20011220.html

-- Doug

--On Friday, December 21, 2001 02:42:40 PM -0500 Mark Medici
<mark@dbma.com> wrote:

> Does anyone have any information on the protocols and/or ports used
> by Universal Plug-n-Play (uPnP)? I'm not looking for specific
> sample code or a working exploit. However, I do want to know if
> this vulnerability can be exploited from the Internet, and if so,
> how to block it at our firewalls and border routers.
>
> Microsoft and CERT announced a vulnerability affecting Windows/XP,
> Windows/Me and, potentially, Windows/98 with Universal Plug-n-Play.
> See http://www.microsoft.com/technet/security/bulletin/MS01-059.asp
> for details.
>
> Obviously, installing Microsoft's patch (Q315000 for Windows/XP, the
> most critical platform) is essential. But users (our own and our
> customers) frequently get new machines or reload existing ones and
> put them on the network for several days before a SysAdmin learns of
> their presence to properly patch them.
>
> If there are specific protocols and/or ports that can be associated
> with Universal Plug-n-Play, then these can be blocked by our
> firewalls, border routers and personal firewalls to protect against
> exploits even if one of our users is remiss in installing patches.
>
> Further information is welcome.
>
>

Doug Foster
World Wide AirShow, Inc.

Relevant Pages

  • Re: Portupgrading - portauditing
    ... > installed (window injection vulnerability). ... Even the portupgrade -f flag won't work and simply building ... > the port manually is also disabled for flagged ports. ... building ports despite vulnerabilities: ...
    (freebsd-questions)
  • RE: [fw-wiz] Firewalls Compared
    ... > I'm trying to reconcile "know what the vulnerability looks ... For example if we know from the protocol rules that we're ... signatures that just dump any packet with %n%n or %x or whatever. ... Firewalls MUST be in a default DENY mode." ...
    (Firewall-Wizards)
  • RE: [fw-wiz] Vulnerability Response (was: BGP TCP RST Attacks)
    ... and that's part of the reason I work in "vulnerability ... "Mitigation" (eg pseudo airgaps, firewalls, pixies and unicorns) has failed ... > infection on to other systems. ...
    (Firewall-Wizards)
  • Re: pre-scanning for vulnerability scans?
    ... > My goal is to determine ways to speed up network vulnerability scans ... scan ALL ports. ... counter-intuitive to most security experts and consultants. ...
    (Pen-Test)
  • Re: OT: Best Antivirus?
    ... to the target host and wasn't intercepted and dropped by the firewall. ... find open ports. ... a "stealth" firewall, still provides little hope of finding any open ports ... But if there was no telnet service running in the first place where would the vulnerability come from? ...
    (rec.autos.sport.f1)