MS-ISAC Advisory #2005-013 (8/9/2005) - New Vulnerability in Microsoft Plug and Play -

MS-ISAC ADVISORY NUMBER:
2005-013

DATE(S) ISSUED:
8/9/2005

SUBJECT:
New Vulnerability in Microsoft Plug and Play

OVERVIEW:

A critical vulnerability exists in the Microsoft Plug and Play (PnP) service which allows an attacker to remotely execute arbitrary code on an affected system. The Plug and Play (PnP) service is used to simplify the installation of new hardware on most Windows-based operating systems. If an attacker successfully exploits this vulnerability, it will give the attacker complete control over the affected system. Exploit code is not publicly available at this time. Microsoft has not received information that this vulnerability is being exploited on the Internet.

SYSTEMS AFFECTED:

Microsoft Windows 2000 Service Pack 4
Microsoft Windows XP Service Pack 1 and Service Pack 2
Microsoft Windows Server 2003 Service Pack 1

RISK:
Government:

Large and medium government entities: High
Small government entities: High

Businesses:

Large and medium business entities: High
Small business entities: High

Home users: High

DESCRIPTION:
A new vulnerability was discovered in Microsoft Plug and Play (PnP), which could be exploited by remote attackers to execute arbitrary commands. The Plug and Play (PnP) service is used to simplify the installation of new hardware on most Windows-based operating systems. On Windows 2000, successful exploitation of this vulnerability allows a remote and unauthenticated attacker to execute arbitrary code on a vulnerable system. Attacks targeting Windows XP Service Pack 1 will require valid logon credentials, and attacks targeting Windows XP Service Pack 2 or Windows 2003 Server will require both valid login credentials, and the ability to log on locally (i.e. physical access).

After successful exploitation, an attacker could take control of a vulnerable system and perform actions such as install programs, view, change, and delete data, and create user accounts.

Currently there are no workarounds for this vulnerability provided by Microsoft. The only resolution for this vulnerability is to apply the patch provide by Microsoft to all systems.

RECOMMENDATIONS:
CSCIC recommends the following actions be taken:

Apply the appropriate patch to vulnerable systems as soon as possible after appropriate testing. The patch is available at http://www.microsoft.com/technet/security/bulletin/MS05-039.mspx
Block TCP ports 139 and 445 at the perimeter firewall.

REFERENCES:

Microsoft
http://www.microsoft.com/technet/security/bulletin/MS05-039.mspx

ISS
http://xforce.iss.net/xforce/alerts/id/203

Secunia
http://secunia.com/advisories/16372/

SecurityFocus
http://www.securityfocus.com/bid/14513

This cyber advisory was issued by the Multi-State Information Sharing and Analysis Center (MS-ISAC) and was intended for government entities. The information may or may not be applicable to the general public and accordingly, the MS-ISAC does not warrant its use for any specific purposes.

MS-ISAC

Multi-State Information Sharing and Analysis Center

Alert Level: