• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • Daily Security Bytes
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

H.D. Moore Unveils Major UPnP Security Vulnerabilities

January 31, 2013 By Corey Nachreiner

This week, H.D Moore, the creator of Metasploit, and now CSO of Rapid7, released a detailed report unveiling his team’s months-long research into the security of the Universal Plug and Play (UPnP) protocol.

If you haven’t heard of it, Universal Plug and Play (UPnP) is a set of networking protocols intended to allow network devices to automatically find one another and then communicate and share data. The protocol was designed primarily for consumers, with the intention of making it easier for non-techie people to connect network products at home. Many network devices including home routers, media servers, game consoles, and printers leverage UPnP, and most operating systems enable it by default. In Moore’s own words, it is pervasive.

Moore’s report highlights just how exposed UPnP devices are on the Internet. For over five months, the Rapid7 researchers scanned the IPv4 address space, looking for devices that responded to UPnP queries (UDP port 1900). To their surprise, they found over 81 million devices (2.2% of the IPv4 addresses) that responded to their queries. They also learned that the majority of these devices use four common UPnP development kits, and that many of these development kits suffer from a variety of critical software vulnerabilities.

One of the worst software vulnerabilities they found lies in the Portable UPnP SDK development kit. This UPnP framework suffers from a serious remote code execution vulnerability that an attacker can exploit with a single, spoofed UDP packet. Moore’s team found 23 million devices exposed to this particular flaw alone.

So what should you do to protect yourself from these potential UPnP issues?

Well, if you work for a business or large organization, there’s some good news. These issues probably don’t affect your organization on the same level as they affect consumers. Business or enterprise class routers and network gear don’t enable UPnP services as often as consumer equipment does. It’s unlikely that your company’s router enables UPnP on its external interface. Furthermore, if you have an enterprise class firewall or security appliance, like any of WatchGuard’s XTM appliances, it will block the UPnP port (UDP 1900) by default. Unless you’ve specifically created a policy to allow UPnP traffic, you’re protected from these sorts of UPnP scans and attacks. Of course, even businesses may have UPnP-enabled devices on their internal networks. Even if you are protected from external attacks, you may still want to consider updating or disabling your internal UPnP devices, if you don’t actually use the UPnP features.

Consumers, on the other hand, will need to do more to protect themselves. Unlike enterprise equipment, consumer devices often enable UPnP. In fact, consumer routers, including ones your ISP may have provided, sometimes enable UPnP on the WAN interface. The first thing you need to do at home is find out whether your Internet router has UPnP enabled on its external interface, and then disable it. You may also need to upgrade the router’s firmware to get the latest UPnP components to fix the vulnerabilities Moore’s report describes.

Consumers should also scan their network to try and find all the devices that use UPnP. Rapid7 has provided a free tool called ScanNow UPnP to help with this task. Once you find all your UPnP devices, you should decide whether or not you are really using the UPnP services. If not, disable it. If you are using UPnP, then you may need to update the associated device’s software or firmware. However, this issue unfortunately affects thousands of devices, and some are outdated devices that may never receive future updates. It may take a while for all the affected vendors to provide the updated software.

UPnP is a perfect example of how convenience and security don’t always mix. The protocol was created to make it easier for devices to connect, but unfortunately easy often translates to insecure. In this case, UPnP made it too easy for users to accidentally expose a critical network service to the public.

For more technical details on these UPnP issues and how to fix them, I highly recommend you read Rapid7’s report [PDF]. In the meantime, if you don’t specifically use UPnP, turn it off. — Corey Nachreiner, CISSP (@SecAdept)

Share This:

Related

Filed Under: Security Bytes Tagged With: H.D. Moore, Metasploit, Rapid7, Software vulnerabilities, UPnP

Comments

  1. Richard Naught says

    January 31, 2013 at 3:05 pm

    The “ScanNow UPnP” requires JAVA I thought JAVA was a no no….

    RN

    Reply
    • Corey Nachreiner says

      January 31, 2013 at 3:21 pm

      Heh! That is a VERY good point… and unfortunately attests to how hard it is to get away from Java right now. Yes, if you don’t rely on it, I recommend you not install Java… unfortunately, there are a ton of business apps that require it. So you may have to deal with it. In that case, at least install the latest version (7 update 11 does fix many of the recent 0day, although researchers report not all)… My personal preference is using browser features and plugins that prevent it by default.. like NoScript or Chrome’s click to play. This way Java is still there if I absolutely need it, but I have the choice of when to allow it.

      For more technical folks, though. Rapid7 also released a Metasploit plugin that will do the same type of UPnP scans as that ScanNow tool. Perhaps the metasploit module doesn’t require Java…

      Reply
  2. Mike Rohwedder says

    January 31, 2013 at 4:27 pm

    Hi Corey,

    I used the tool and discovered UPnP enabled on my Comcast Wireless router. It’s now turned off as I really think I do not need it.

    And it’s nice to be home after 16 years in Tasmania!

    Mike

    Reply
  3. Alexander Kushnarev (Rainbow Security) says

    February 3, 2013 at 6:43 am

    First time I’ve heard about Universal Plug and Play technology at the end of 2001, then serious vulnerabilities were detected by eEye company within Microsoft’s UPnP implementation. I’ve even found the original knowledge base article.

    http://technet.microsoft.com/en-us/security/bulletin/ms01-059

    Also, famous “UnPlug n’ Pray” utility were released to disable UPnP in Windows. Since then, from time to time, I’ve heard some “bad news” about UPnP, but didn’t heard or read anything real useful about it. Obviously, we will see a couple of new exploits for Metasploit tool soon…

    Reply
    • Corey Nachreiner says

      February 5, 2013 at 4:12 pm

      Yeah… hopefully all the folks serious about security realize that UPnP has always been a disaster of a protocol.. That said, it was eye-opening to learn how many consumer devices are actually responding to UPnP queries… crazy!

      Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • USA’s Answer to GDPR
  • Rolling PWN

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • Private Sector Offensive Actors
  • USA’s Answer to GDPR
  • Rolling PWN
  • Over a Billion Records Leaked in Shanghai National Police Database Hack
  • LockBit Ransomware Group Introduces Bug Bounties and More
View All

Search

Archives

Copyright © 2022 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use