This week, H.D Moore, the creator of Metasploit, and now CSO of Rapid7, released a detailed report unveiling his team’s months-long research into the security of the Universal Plug and Play (UPnP) protocol.
If you haven’t heard of it, Universal Plug and Play (UPnP) is a set of networking protocols intended to allow network devices to automatically find one another and then communicate and share data. The protocol was designed primarily for consumers, with the intention of making it easier for non-techie people to connect network products at home. Many network devices including home routers, media servers, game consoles, and printers leverage UPnP, and most operating systems enable it by default. In Moore’s own words, it is pervasive.
Moore’s report highlights just how exposed UPnP devices are on the Internet. For over five months, the Rapid7 researchers scanned the IPv4 address space, looking for devices that responded to UPnP queries (UDP port 1900). To their surprise, they found over 81 million devices (2.2% of the IPv4 addresses) that responded to their queries. They also learned that the majority of these devices use four common UPnP development kits, and that many of these development kits suffer from a variety of critical software vulnerabilities.
One of the worst software vulnerabilities they found lies in the Portable UPnP SDK development kit. This UPnP framework suffers from a serious remote code execution vulnerability that an attacker can exploit with a single, spoofed UDP packet. Moore’s team found 23 million devices exposed to this particular flaw alone.
So what should you do to protect yourself from these potential UPnP issues?
Well, if you work for a business or large organization, there’s some good news. These issues probably don’t affect your organization on the same level as they affect consumers. Business or enterprise class routers and network gear don’t enable UPnP services as often as consumer equipment does. It’s unlikely that your company’s router enables UPnP on its external interface. Furthermore, if you have an enterprise class firewall or security appliance, like any of WatchGuard’s XTM appliances, it will block the UPnP port (UDP 1900) by default. Unless you’ve specifically created a policy to allow UPnP traffic, you’re protected from these sorts of UPnP scans and attacks. Of course, even businesses may have UPnP-enabled devices on their internal networks. Even if you are protected from external attacks, you may still want to consider updating or disabling your internal UPnP devices, if you don’t actually use the UPnP features.
Consumers, on the other hand, will need to do more to protect themselves. Unlike enterprise equipment, consumer devices often enable UPnP. In fact, consumer routers, including ones your ISP may have provided, sometimes enable UPnP on the WAN interface. The first thing you need to do at home is find out whether your Internet router has UPnP enabled on its external interface, and then disable it. You may also need to upgrade the router’s firmware to get the latest UPnP components to fix the vulnerabilities Moore’s report describes.
Consumers should also scan their network to try and find all the devices that use UPnP. Rapid7 has provided a free tool called ScanNow UPnP to help with this task. Once you find all your UPnP devices, you should decide whether or not you are really using the UPnP services. If not, disable it. If you are using UPnP, then you may need to update the associated device’s software or firmware. However, this issue unfortunately affects thousands of devices, and some are outdated devices that may never receive future updates. It may take a while for all the affected vendors to provide the updated software.
UPnP is a perfect example of how convenience and security don’t always mix. The protocol was created to make it easier for devices to connect, but unfortunately easy often translates to insecure. In this case, UPnP made it too easy for users to accidentally expose a critical network service to the public.
For more technical details on these UPnP issues and how to fix them, I highly recommend you read Rapid7’s report [PDF]. In the meantime, if you don’t specifically use UPnP, turn it off. — Corey Nachreiner, CISSP (@SecAdept)