US CERT warns of serious UPnP router vulnerability

US CERT warns of serious UPnP router vulnerability

The US CERT has advised users to disable UPnP on routers following the discovery of a serious security flaw in the easy-access technology.

Security researchers have warned that faulty implementations of the Universal Plug and Play (UPnP) protocol in common routers are leaving millions of users at risk of attack.

UPnP was introduced as a solution to the problem of needing to forward ports from a router's external interface to internal systems in order to make internet-facing equipment visible. When routers and gateways were entirely under the control of system administrators that wasn't a problem, but these days nearly every house with an internet connection has a router that uses Network Address Translation (NAT) to connect multiple devices to the internet on a single public-facing IP.

A NAT system blocks incoming traffic by default - not so much as a security precaution, although that's a handy by-product, but because it has no idea to which of multiple client systems the traffic is supposed to be sent. Port forwarding tells the router that all incoming traffic to a selected port should go to a particular client system, but can be too confusing for non-technical types with all its talk of 'virtual servers,' 'IP addresses' and 'port ranges.'

UPnP solves that problem: in a move seemingly designed to give security wonks a heart attack, UPnP allows the client devices themselves to negotiate holes in the firewall. Launch a peer-to-peer file sharing application, for example, and it will typically use UPnP to forward an externally-facing port to your laptop or desktop's internal IP address. When the client software is closed, so is the hole - until the next time it's launched. UPnP also allows for device discovery on the local network: many network printers allow access over UPnP, while the Digital Living Network Alliance (DLNA) media streaming standard is built on UPnP technologies.

One of the key points of UPnP is that it should only be active on the local network: it's one thing to have your internal systems poking holes in your firewall, but quite another for an external system to do the same. Sadly, that most basic point appears to have been ignored by several manufacturers: a whitepaper released by security research firm Rapid 7 claims that there are around 50 million devices accessible over the internet using the UPnP protocol.

It's a serious problem: NAT provides a handy level of protection against network intrusion, blocking access to vulnerable services on client machines. With UPnP access enabled on the external interface, attackers can easily bypass the NAT to gain direct access to ports on client devices. Still worse, systems that use UPnP to share media have been found to be exposing said media to the internet at large - and while that might not concern those who use media servers to stream the latest TV shows, it's a common feature of smartphones and tablets to be able to share personal pictures and videos over UPnP and related protocols.

The issue has the US Computer Emergency Readiness Team (CERT) worried enough to issue an advisory telling users that they should consider disabling UPnP - typically just by flipping a setting in the router, although some models have publicly-disclosed vulnerabilities where UPnP remains active even when apparently disabled - until manufacturers update the vulnerable libupnp software library to version 1.6.18, which explicitly disables UPnP on external interfaces.


Discuss in the forums Reply
greigaitken 30th January 2013, 11:45 Quote
I was hoping to wake to "googe launches new monster graphics card that indexes web when not in use - therefore free for everyone" instead, i got "your router might be helping the baddies"
ShinyAli 30th January 2013, 12:47 Quote
Comments on the white paper:

"Exploit checker released with this article requires JAVA to be installed on the computer.... but we already deleted Java per recommendations of exploitable flaws"...

Why has this taken so long to be made so public is it because so much tech is now connectable using UPnP, everything from phones to smart TV's (Oh no, has google been tracking what TV programs I watch ) use it as most people are not going to be port forwarding their routers to allow these devices internet access.

From what I have been reading on this subject IT Admins never allow UPnP anyway as they are obviously aware of the vulnerability so it's mainly home users and the ports UPnP uses (UDP port 1900 and TCP port 2869) are not common ports which you would have open to the internet anyway.

With so many machines seemingly vulnerable why has this exploit not been used more or have people just not realized that it has been used? Surely if it was so easy to access a machine via UPnP then hackers would use this method rather than trying to get malware on PC's which can then often open ports and allow access?

The fact that UPnP remains active even when apparently disabled in some routers is a concern so might be worth doing a port check at "Shields Up" to confirm that the ports are closed after being disabled in your router.
ShinyAli 30th January 2013, 20:48 Quote
Strange, any mention of peoples privacy/info having been compromised by the likes of google, accidentaly or intentionally, and the stuff hits the fan but when a truly dangerous exploit/vulnerabilty is proven to exist in tens of million of PC's/routers hardly anyone has anything to say on the matter, guess we all need a big "evil" name to blame these days
l3v1ck 1st February 2013, 08:57 Quote
Gibson research have been banging on about uPnP years on their website for years. I'm surprised the US government (of all people) has taken this long to realise its potential security thread.
ShinyAli 1st February 2013, 12:04 Quote
Originally Posted by l3v1ck
Gibson research have been banging on about uPnP years on their website for years. I'm surprised the US government (of all people) has taken this long to realise its potential security thread.

Yes they have I forgot to mention that when I recommended a port check at Shields Up which I have been using/reading for years
jb0 3rd February 2013, 06:55 Quote
I'm amused that the "security threat" boils down to "the internet works like it's actually supposed to again."

NAT is not a security feature, it was never intended AS a security feature, and the "security" it provides is an unintentional side-effect of broken basic functionality.
Log in

You are not logged in, please login with your forum account below. If you don't already have an account please register to start contributing.

Discuss in the forums