Reported November 1, 2001, by Microsoft.
VERSIONS AFFECTED
All systems running Microsoft’s
Universal Plug and Play, including:
- Microsoft Windows XP
- Microsoft Windows Me
-
Microsoft
Windows 98 and 98SE
DESCRIPTION
A vulnerability exists in Microsoft Universal Plug
and Play (UPnP) service that can cause a Denial of Service (DoS) condition.
Because the UPnP service doesn't correctly handle invalid requests or multiple
connections exceeding 1017, an attacker can use the vulnerability to create a
DoS condition. The UPnP service is not enabled by default, but an attacker can
enable it through the OEM channels. Microsoft recommends that users block ports
1900 and 5000 with a firewall.
VENDOR
RESPONSE
The
vendor, Microsoft, has released security
bulletin MS01-054
to address this vulnerability and recommends that affected users apply the
appropriate patch provided at one of the URLs given in the bulletin.
CREDIT
Discovered by Ken
of Franklin Tech Unlimited.