cbcvebase.
CVE-2001-0877
published 2001-12-20

CVE-2001-0877: Universal Plug and Play (UPnP) on Windows 98, 98SE, ME, and XP allows remote attackers to cause a denial of service via (1) a spoofed SSDP advertisement that…

PriorityP424medium5CVSS 2.0
AVNACLAuNCNINAP
EPSS
43.76%
98.6th percentile
Universal Plug and Play (UPnP) on Windows 98, 98SE, ME, and XP allows remote attackers to cause a denial of service via (1) a spoofed SSDP advertisement that causes the client to connect to a service on another machine that generates a large amount of traffic (e.g., chargen), or (2) via a spoofed SSDP announcement to broadcast or multicast addresses, which could cause all UPnP clients to send traffic to a single target system.

Detection & IOCsextracted from sources · hover to see the quote

port1900/udp
snort
alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"GPL MISC UPnP malformed advertisement"; content:"NOTIFY * "; nocase; reference:bugtraq,3723; reference:cve,2001-0876; reference:cve,2001-0877; reference:url,www.microsoft.com/technet/security/bulletin/MS01-059.mspx; classtype:misc-attack; sid:2101384; rev:9; metadata:created_at 2010_09_23, cve CVE_2001_0876, signature_severity Informational, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2019_07_26;)
bytes
NOTIFY * 
  • Detect spoofed SSDP NOTIFY advertisements inbound on UDP port 1900 from external networks; the Snort rule (sid:2101384) triggers on the 'NOTIFY * ' string case-insensitively.
  • CVE-2001-0877 detections from vulnerability scanners and untuned Snort sensors are frequently false positives; alerts on non-Windows 98/ME/XP systems should be treated as noise.
  • IDS alerts for this CVE are commonly triggered by benign network discovery tools and Nessus scans correlated against untuned public-facing Snort sensors; tune accordingly before acting on alerts.
  • ·The vulnerability only affects Windows 98, 98SE, ME, and XP (SP0 and lower); alerts firing on any other OS are false positives and should be suppressed.
  • ·Attack vector 2 uses spoofed SSDP announcements to broadcast or multicast addresses, meaning detection rules scoped only to unicast traffic may miss this variant.
  • ·Attack vector 1 abuses a spoofed SSDP advertisement to redirect the victim to a high-bandwidth service (e.g., chargen) on a third-party machine; the malicious traffic originates from the victim, not the attacker, complicating attribution.
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.