Millions of devices vulnerable via UPnP - Update
During an IP scan of all possible IPv4 addresses, Rapid7, the security firm that is known for the Metasploit attack framework, has discovered 40 to 50 million network devices that can potentially be compromised remotely with a single data packet. The company says that remote attackers can potentially inject code into these devices, and that this may, for example, enable them to gain unauthorised access to a user's local network.
All kinds of network-enabled devices including routers, IP cameras, NAS devices, printers, TV sets and media servers are affected. They all have several things in common: they support the Universal Plug and Play network protocol, respond to UPnP requests from the internet, and use a vulnerable UPnP library to do so.
Rapid7's Chief Security Officer HD Moore said that, when scanning the IPv4 addresses, 81 million IPs had responded to UPnP discovery requests. This is already most peculiar in itself, as UPnP is only supposed to play a role within local networks. The protocol enables network devices to find each other and, for example, exchange instructions. Discovery requests are usually broadcast, and UPnP-enabled devices in a network then respond to them. It appears that manufacturers didn't allow for the possibility that such packets could arrive as unicasts from the internet.
It became apparent that in 73 per cent of cases, the manufacturers of the responding devices had implemented the UPnP features using one of four development kits, with most of them using Intel's libupnp or MiniUPnP. The security company examined the source code of these two tools and found eight vulnerabilities – including seven buffer overflows – in the most widely used version of libupnp alone. Three of the holes still exist in version 1.6.17, which was current up until Tuesday. The vulnerabilities can be found in the SSDP parser's
unique_service_name() function. To inject arbitrary code into the vulnerable devices, all a potential attacker needs to do is send a UDP packet in the following way:
M-SEARCH * HTTP/1.1
The size of the network packet must not exceed 2,500 bytes, which should provide enough scope to inject a lean malicious program. In the obsolete (and still most widely-used) version 1.0 of MiniUPnP, the experts discovered two vulnerabilities that can be exploited to cripple affected devices (Denial of Service).
Rapid7 identified more than 6,900 vulnerable product versions by more than 1,500 vendors including D-Link, Fujitsu, Huawei, Logitech, Netgear, Siemens, Sony, TP-Link, Zyxel and many others. Although the vulnerabilities have been fixed in the current versions of the UPnP libraries – the updated version 1.2 of MiniUPnP is already two years old – most of the vulnerable devices are unlikely to be made safe any time soon. Many of them are probably long out of production and are no longer supported by their manufacturers.
The US-CERT has also released a vulnerability note concerning this threat and said that it has attempted to notify more than 200 affected vendors. The CERT recommends that the affected libraries should be updated – which most customers can't do themselves. Alternatively, the US-CERT said that users should implement firewall rules to block UDP port 1900 or, if possible, disable the UPnP feature. Disabling UPnP is likely the most viable option for the majority of users. Of course, the device must first offer an appropriate option and then actually cease to respond to requests via the WAN interface for this approach to be successful.
Rapid7 has provided a free tool called ScanNow UPnP that allows users to search IP address spaces for vulnerable devices. Users enter information about their personal network to activate the tool. Another option is the ssdp_msearch Metasploit module, which can be accessed via the Metasploit console as follows:
msf > use auxiliary/scanner/upnp/ssdp_msearch
msf auxiliary(ssdp_msearch) > set RHOSTS 192.168.0.0/24
msf auxiliary(ssdp_msearch) > run
Users who discover a vulnerable device that responds to UDP packets from the internet on their network should seriously consider disabling the UPnP feature or, if necessary, decommission the device. Attackers can potentially exploit vulnerable devices to gain access to local networks – and Rapid7's report will likely inspire many a hacker to attempt to do just that.
Update - Rapid7 have now made a scanning service available as an alternative to installing its ScanNow tool. Users had expressed concerns about having to install Java on Windows to use the tool. The alternative service – upnp-check.rapid7.com – scans the user's local router for UPnP issues.