Products & Services
Support

Product Categories


Popular Downloads


Manage Software

How to Buy

For Home

Linksys Products Store
Linksys is now part of Belkin
Products for everyone

All Ordering Options

Training & Events Partners
Guest

Vulnerability Alert

Microsoft Windows Plug and Play Remote Code Execution Vulnerability

 
Threat Type:CWE-119: Buffer Errors
IntelliShield ID:9572
Version:5
First Published:2005 August 09 20:47 GMT
Last Published:2005 August 24 20:12 GMT
Port: 139, 445
CVE:CVE-2005-1983
BugTraq ID:14513
Urgency:Possible use
Credibility:Confirmed
Severity:Moderate Damage
Related Resources:
View related IPS Signature
 
 
Version Summary:

Microsoft has released a security advisory stating that systems running Windows XP SP1 with Simple File Sharing enabled may be at increased risk of exploitation for the Windows Plug and Play remote code execution vulnerability.

 
 
Description

Microsoft Windows 2000, XP and Server 2003 contain a vulnerability within the Plug and Play (PnP) service that could result in the execution of arbitrary code with elevated privileges.

The vulnerability exists in the Plug and Play service as a result of insufficient bounds checking of user-supplied data.  On Windows 2000 and 2000 Server, an anonymous, remote or authenticated local attacker could exploit this vulnerability by submitting a malicious message to create a buffer overflow condition.  The PnP service is restricted to locally authenticated users on Windows Server 2003 and Windows XP SP2.  However, a remotely authenticated user could exploit Windows XP SP1 systems to execute arbitrary code with elevated privileges.

Exploit code is available.

Patches are available.

 
Warning Indicators

Systems running the following Microsoft products are vulnerable:

Microsoft Windows 2000 SP4 and prior
Microsoft Windows XP SP1 and SP2
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003 SP1 or prior 
Microsoft Windows Server 2003 SP1 or prior for Itanium-based Systems  
Microsoft Windows Server 2003 x64 Edition

 
IntelliShield Analysis

The fact that most enterprise networks block the exploitable ports (139/tcp and 445/tcp) helps mitigate the risk associated with this vulnerability.  Allowing unfiltered inbound access to systems on these ports can allow for a misuse of production systems.  Administrators should consider blocking untrusted networks accessing these ports.

Administrative users can remotely access the PnP service on Windows XP SP2 and Server 2003 machines.  Due to the privileges imparted on administrators, exploitation of the issue in this manner is unlikely.

Administrators are advised to apply the appropriate updates during the next scheduled patch cycle.  Windows 2000 systems accessible via untrusted networks or by untrusted users should apply the appropriate update as soon as possible.

Exploit code is available for this vulnerability, and may increase the likelihood of an attack. 

Reports indicate that malicious code exploiting this vulnerability has been found in the wild.  Currently infection rates are low, but as new variants of the worms are produced the infection rate may increase.  Cybertrust is reporting on the Zotob worm in alert 9591 and Sdbot in alert 4917.

Only Windows XP systems that are not members of a domain can enable Simple File Sharing.

 
Vendor Announcements

Microsoft has released a security bulletin at the following link: MS05-39 

Microsoft has released security advisories at the following links: 899588 and 906574

US-CERT has released a technical cyber security alert and vulnerability note at the following link: TA05-221A and VU#998653

 
Impact

An attacker could execute arbitrary code with SYSTEM privileges.

 
Technical Information

To exploit this issue, an attacker could create a malicious message and submit it to a vulnerable PnP service.  The vulnerability exists due to a buffer overflow condition that results from a lack of bounds checking of user-supplied input.  An attacker able to trigger the vulnerability could create an exploitable buffer overflow condition that may allow the execution of arbitrary code with SYSTEM privileges.

When Simple File Sharing is enabled on Windows XP systems with SP1 installed, the Guest account is enabled by default.  Windows XP systems using SP1 that are joined in a domain do not use Simple File Sharing.  However, if the system used Simple File Sharing prior to joining a domain, the Guest account may still be enabled.  All remote users who access file shares on the system must use the Guest account.  Since the Guest account allows remote authenticated access, there is an increased likelihood that an attacker could exploit these systems.

 
Safeguards

Administrators are advised to apply the appropriate patches.

Administrators are advised to restrict access to ports 139/tcp and 445/tcp to trusted users only.

Administrators are advised to enable local firewalls on individual hosts to screen TCP/IP traffic.

Administrators are advised to disable Simple File Sharing on Windows XP systems with SP1 installed.

 
Patches/Software

Microsoft has released patches at the following links:

Microsoft Windows 2000 SP4  
Microsoft Windows XP SP1 and SP2
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003 SP1 or prior 
Microsoft Windows Server 2003 SP1 or prior for Itanium-based Systems  
Microsoft Windows Server 2003 x64 Edition


Signatures
 
Cisco Intrusion Prevention System (IPS) 6.0
Signature IDSignature NameReleaseLatest Release Date
6131/0Microsoft Plug and Play OverflowS5992011 Oct 01 
6131/1Microsoft Plug and Play OverflowS5992011 Oct 01 
6131/2Microsoft Plug and Play OverflowS5992011 Oct 01 
6131/3Microsoft Plug and Play OverflowS6892013 Jan 15 
6131/4Microsoft Plug and Play OverflowS5992011 Oct 01 
6131/5Microsoft Plug and Play OverflowS5992011 Oct 01 
6131/6Microsoft Plug and Play OverflowS6732012 Oct 09 
6131/7Microsoft Plug and Play OverflowS6732012 Oct 09 
6131/8Microsoft Plug and Play OverflowS7052013 Apr 03 
6131/9Microsoft Plug and Play OverflowS7052013 Apr 03 
6131/10Microsoft Plug and Play OverflowS6172012 Jan 13 
6131/11Microsoft Plug and Play OverflowS6892013 Jan 15 
 
Alert History
 

Version 4, August 15, 2005, 8:37 AM: Microsoft has re-released a security advisory to address malicious code exploiting the Microsoft Windows plug and play remote code execution vulnerability.

Version 3, August 12, 2005, 9:40 AM: Microsoft has released a security advisory to address publicly available exploit code for the Microsoft Windows plug and play remote code execution vulnerability.

Version 2, August 10, 2005, 10:21 AM: US-CERT has released a technical cyber security alert and vulnerability note to address the Microsoft Windows plug and play remote code execution vulnerability.

Version 1, August 9, 2005, 4:47 PM: The Microsoft Windows Plug and Play service contains a buffer overflow vulnerability that could allow the execution of arbitrary code with elevated privileges.  Patches are available.



Product Sets
 
The security vulnerability applies to the following combinations of products.

Primary Products:
Microsoft, Inc.Windows 2000 Advanced Server Base, SP1, SP2, SP3, SP4 | Professional Base, SP1, SP2, SP3, SP4 | Server Base, SP1, SP2, SP3, SP4
Microsoft, Inc.Windows Server 2003 Enterprise Edition Base, SP1 | Enterprise Edition, 64-bit (Itanium) Base, SP1 | Enterprise Edition x64 (AMD/EM64T) Base | Standard Edition Base, SP1 | Standard Edition, 64-bit (Itanium) Base, SP1 | Standard Edition x64 (AMD/EM64T) Base | Web Edition Base, SP1
Microsoft, Inc.Windows XP Home Edition SP1, SP2 | Professional Edition SP1, SP2 | Professional x64 (AMD/EM64T) Base

Associated Products:
N/A




Alerts and bulletins on the Cisco Security Intelligence Operations Portal are highlighted by analysts in the Cisco Threat Operations Center and represent a subset of the comprehensive content that is available through Cisco Security IntelliShield Alert Manager Service. This customizable threat and vulnerability alert service provides security staff with access to timely, accurate, and credible information about threats and vulnerabilities that may affect their environment.


LEGAL DISCLAIMER
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
Powered by  IntelliShield