[Micronet] Disable the chargen service on your hosts

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[Micronet] Disable the chargen service on your hosts

Allison Henry
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Micronetters,

Due to recent security incidents involving the abuse of the "chargen"
service running on (19/udp), we are asking campus administrators to
*immediately disable chargen services* on all campus hosts, or at a
minimum, block Internet access to UDP port 19 using firewalls. There
are few if any legitimate uses for this service, and as required by
campus MSSND, unnecessary services should be removed:

https://security.berkeley.edu/mssnd#no-unnecessary-services

The chargen service is part of "Simple TCP/IP services" on Windows
Servers and "udp-small-servers" on Cisco IOS devices, so check to make
sure these services are not enabled. The chargen service is also
frequently enabled on printers and other multifunction devices so if
you administer these devices please check your configuration.

It's a good opportunity to check for any other unnecessary services
which may be running on your devices. Abuse of the chargen service is
an example of why this minimum security standard is important -- a
service that seems harmless may be still exploited by attackers.

If anyone has a legitimate use case for chargen, please let us know.
If the service cannot be disabled it should at least be blocked from
the public Internet. For more information on chargen see:

http://en.wikipedia.org/wiki/Character_Generator_Protocol

More information on this threat is being provided on the UCB-Security
mailing list: https://security.berkeley.edu/ucb-security

As a reminder, discussion of sensitive IT security issues on campus
takes place on this private list. If you have an IT job function or IT
management responsibilities, please subscribe.

Thanks,

- --
Allison Henry
Security Operations Manager
Information Security and Policy Office
University of California, Berkeley
http://security.berkeley.edu
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlJe5K4ACgkQKzbis0Yjv22KGACfcY1D1+5whMb40kEBumYqa0cl
FHIAnAk4c76jxg4nfRbGj+N7yPHk7uvZ
=7Tgp
-----END PGP SIGNATURE-----

 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.