November 23, 2014

Millions of UPnP devices vulnerable to remote code execution

UPnP(LiveHacking.Com) – Rapid7, the vulnerability management and penetration testing company which is well known for the Metasploit tool, has released a whitepaper describing security flaws in popular implementations of the Universal Plug and Play protocol. It is estimated that more than 80 million unique IPs respond to UPnP discovery requests, all accessible from the internet. Of those 80 million devices, it is thought that between 40 and 50 million are vulnerable to at least one of three attacks outlined in the whitepaper.

The problem is that the two most commonly used UPnP software libraries both contain remotely exploitable vulnerabilities. First, the libupnp library contains multiple buffer overflow vulnerabilities and devices that use it and accept UPnP queries over the WAN interface are vulnerable. In total Rapid7 estimates that some 6,900 product versions are vulnerable from over 1,500 different vendors.

A new version (1.6.18) of libupnp has been released to fix the vulnerabilities but it will take quite a while before device makers start shipping units with the new software and it is unlikely that older devices will ever be updated.

The other library affected is the MiniUPnP library and although it was fixed over two years ago there are still over 330 products using older versions of the library.

Because of the finding Rapid7 is urging everyone to identify and disable any internet-exposed UPnP devices in their environments. “UPnP is pervasive – it is enabled by default on many home gateways, nearly all network printers, and devices ranging from IP cameras to network storage server,” wrote HD Moore, the Chief Security Officer at Rapid7.

The warning was echoed by US-CERT which recommends that users and administrators disable UPnP (if possible), and restrict access to SSDP (1900/udp) and Simple Object Access Protocol (SOAP) services from the Internet.

According to US-CERT’s advisory, the Portable SDK for UPnP Devices, is vulnerable to multiple stack-based buffer overflows when handling malicious SSDP requests. This library is used by tens of millions of deployed network devices, of which approximately twenty million are exposed directly to the internet. In addition to network devices, many streaming media and file sharing applications are also exposed to attack through this library.

Rapid7 has released a tool called ScanNow UPnP which can identify any exposed UPnP endpoints in your network. The only wrinkle is that you need to register the tool, giving Rapid7 your name, email address and phone number, to use it!