This week, H.D Moore, the creator of Metasploit, and now CSO of Rapid7, released a detailed report unveiling his team’s months-long research into the security of the Universal Plug and Play (UPnP) protocol.
If you haven’t heard of it, Universal Plug and Play (UPnP) is a set of networking protocols intended to allow network devices to automatically find one another and then communicate and share data. The protocol was designed primarily for consumers, with the intention of making it easier for non-techie people to connect network products at home. Many network devices including home routers, media servers, game consoles, and printers leverage UPnP, and most operating systems enable it by default. In Moore’s own words, it is pervasive.
Moore’s report highlights just how exposed UPnP devices are on the Internet. For over five months, the Rapid7 researchers scanned the IPv4 address space, looking for devices that responded to UPnP queries (UDP port 1900). To their surprise, they found over 81 million devices (2.2% of the IPv4 addresses) that responded to their queries. They also learned that the majority of these devices use four common UPnP development kits, and that many of these development kits suffer from a variety of critical software vulnerabilities.
One of the worst software vulnerabilities they found lies in the Portable UPnP SDK development kit. This UPnP framework suffers from a serious remote code execution vulnerability that an attacker can exploit with a single, spoofed UDP packet. Moore’s team found 23 million devices exposed to this particular flaw alone.
So what should you do to protect yourself from these potential UPnP issues?
Well, if you work for a business or large organization, there’s some good news. These issues probably don’t affect your organization on the same level as they affect consumers. Business or enterprise class routers and network gear don’t enable UPnP services as often as consumer equipment does. It’s unlikely that your company’s router enables UPnP on its external interface. Furthermore, if you have an enterprise class firewall or security appliance, like any of WatchGuard’s XTM appliances, it will block the UPnP port (UDP 1900) by default. Unless you’ve specifically created a policy to allow UPnP traffic, you’re protected from these sorts of UPnP scans and attacks. Of course, even businesses may have UPnP-enabled devices on their internal networks. Even if you are protected from external attacks, you may still want to consider updating or disabling your internal UPnP devices, if you don’t actually use the UPnP features.
Consumers, on the other hand, will need to do more to protect themselves. Unlike enterprise equipment, consumer devices often enable UPnP. In fact, consumer routers, including ones your ISP may have provided, sometimes enable UPnP on the WAN interface. The first thing you need to do at home is find out whether your Internet router has UPnP enabled on its external interface, and then disable it. You may also need to upgrade the router’s firmware to get the latest UPnP components to fix the vulnerabilities Moore’s report describes.
Consumers should also scan their network to try and find all the devices that use UPnP. Rapid7 has provided a free tool called ScanNow UPnP to help with this task. Once you find all your UPnP devices, you should decide whether or not you are really using the UPnP services. If not, disable it. If you are using UPnP, then you may need to update the associated device’s software or firmware. However, this issue unfortunately affects thousands of devices, and some are outdated devices that may never receive future updates. It may take a while for all the affected vendors to provide the updated software.
UPnP is a perfect example of how convenience and security don’t always mix. The protocol was created to make it easier for devices to connect, but unfortunately easy often translates to insecure. In this case, UPnP made it too easy for users to accidentally expose a critical network service to the public.
For more technical details on these UPnP issues and how to fix them, I highly recommend you read Rapid7’s report [PDF]. In the meantime, if you don’t specifically use UPnP, turn it off. — Corey Nachreiner, CISSP (@SecAdept)
Richard Naught says
The “ScanNow UPnP” requires JAVA I thought JAVA was a no no….
Corey Nachreiner says
Heh! That is a VERY good point… and unfortunately attests to how hard it is to get away from Java right now. Yes, if you don’t rely on it, I recommend you not install Java… unfortunately, there are a ton of business apps that require it. So you may have to deal with it. In that case, at least install the latest version (7 update 11 does fix many of the recent 0day, although researchers report not all)… My personal preference is using browser features and plugins that prevent it by default.. like NoScript or Chrome’s click to play. This way Java is still there if I absolutely need it, but I have the choice of when to allow it.
For more technical folks, though. Rapid7 also released a Metasploit plugin that will do the same type of UPnP scans as that ScanNow tool. Perhaps the metasploit module doesn’t require Java…
Mike Rohwedder says
I used the tool and discovered UPnP enabled on my Comcast Wireless router. It’s now turned off as I really think I do not need it.
And it’s nice to be home after 16 years in Tasmania!
Alexander Kushnarev (Rainbow Security) says
First time I’ve heard about Universal Plug and Play technology at the end of 2001, then serious vulnerabilities were detected by eEye company within Microsoft’s UPnP implementation. I’ve even found the original knowledge base article.
Also, famous “UnPlug n’ Pray” utility were released to disable UPnP in Windows. Since then, from time to time, I’ve heard some “bad news” about UPnP, but didn’t heard or read anything real useful about it. Obviously, we will see a couple of new exploits for Metasploit tool soon…
Corey Nachreiner says
Yeah… hopefully all the folks serious about security realize that UPnP has always been a disaster of a protocol.. That said, it was eye-opening to learn how many consumer devices are actually responding to UPnP queries… crazy!