Security flaws in Universal Plug and Play expose million devices

Pierluigi Paganini January 30, 2013

Rapid7 security firm has published an interesting whitepaper entitled “Security Flaws in Universal Plug and Play” in which reports the result of a research conducted in the second half of 2012 that evaluated the global exposure of UPnP-enabled network devices.

Security world has become accustomed to so surprising data, over 80 million unique IPs were identified that responded to UPnP discovery requests from the internet.

Rapid7Stats

The researchers have experimented three attacks discovering more than 40 million IPs are vulnerable at least one of them, the surprising result is justified by the fact that two most commonly used UPnP software libraries are affected by vulnerabilities that are remotely exploitable.

The UPnP protocol suffers from a number of basic security problems, many of which have been highlighted over the last twelve years. Authentication is rarely implemented by device manufacturers, privileged capabilities are often exposed to untrusted networks, and common programming flaws plague common UPnP software implementations. These issues are endemic across UPnP-enabled applications and network devices

The reports highlighted that over 23 million IPs related to Portable UPnP SDK are vulnerable to remote code execution just through a single UDP packet. The result proposed an alarming scenario, over 6,900 product versions from over 1,500 vendors are vulnerable through UPnP due to the exposure of UPnP SOAP service to the internet.

The risk is an attacker could “execute arbitrary code on the device or cause a denial of service,”, it could install malware on victim’s computer.

A remote, unauthenticated attacker may be able to execute arbitrary code on the device or cause a denial of service.

The good news is that vulnerabilities Rapid7 identified in the Portable UPnP SDK have been fixed as of version 1.6.18 0released today, but the bad news is that probably device vendors will spend too much time to patch their product exposing users to serious risks.

Rapid7’s post was skeptical on patch management process, following an exhaustive statement:

“The flaws identified in the MiniUPnP software were fixed over two years ago, yet over 330 products are still using older versions. For the reasons outlined above, we strongly suggest that end users, companies, and ISPs take immediate action to identify and disable any internet-exposed UPnP endpoints in their environments.”

The figure related the penetration level of the menace is impressive, UPnP is enabled by default on many network appliances such as home gateways, network printers, and devices ranging from IP cameras to network storage servers.

Rapid7 has also provided a free vulnerability scanner, ScanNow UPnP, that can identify exposed UPnP endpoints in your network and flag which of those may remotely. Actually, the tools are available for Microsoft platforms, users of Mac OS X and Linux can test they UPnP endpoints using Metasploit (module UPnP SSDP M-SEARCH Information Discovery).

Rapid7 suggested the immediate actions mitigate the risks related to the vulnerability:

  • Internet Service Providers should review any equipment that they are providing to subscribers to verify that UPnP is not exposed on the WAN interface.
  • Companies should verify that all external-facing devices do not expose UPnP to the internet. Rapid7 provides ScanNow UPnP as well as Metasploit modules that can detect vulnerable UPnP services.

The U.S. Department of Homeland Security has immediately raised an alert on the serious threat to networking devices, it warns users to update their software or disable UPnP. It then warns to “disable UPnP applying a restriction to networking protocols and ports, including Simple Service Discovery Protocol (SSDP) and Simple Object Access Protocol (SOPA) services from untrusted networks such as the Internet.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – UPnP, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment