Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint Security

4/13/2018
09:35 AM
Larry Loeb
Larry Loeb
Larry Loeb
50%
50%

Misconfigured Routers Could Be Used for Botnets, Espionage

A recent white paper released by Akamai finds that thousands of misconfigured routers using older UPnP protocols could be turned into malicious botnets or used for espionage.

Universal Plug and Play -- UPnP -- is an older protocol aimed at easing device and service discovery and a way to configure devices and networks. The idea behind it was to let devices on a LAN automatically expose their services and functionality to other devices that were located on the device's local network.

Now, however, the content delivery network Akamai has found it can be used to create proxies that hide the location of the originating traffic.

And that's really useful for malicious botnets, as well as for espionage.

UPnP has been known to be insecure for over a decade. In 2006, problems with how certain implementations handled network segmentation across the WAN -- external Internet -- and LAN were first brought to light. The first toolkit to exploit these showed up around 2011.

Akamai was investigating some attacks on its networks when it found that some routers would expose UPnP services that were meant for inter-device discovery through its WAN interface. Researchers later figured out that these routers were misconfigured.

In its white paper, Akamai explained that by using these exposed services, an attacker would be able to inject network address translation (NAT) entries into the remote device, and could expose machines behind the router. In other cases, attackers could inject Internet-routable hosts into the NAT table -- rules that control how IPs and ports from the router's internal network are mapped to the network above it -- which would cause the router to act as a proxy server.

It starts with the Simple Service Discovery Protocol (SSDP) probe response. From the location header, the attacker can communicate with the TCP-enabled UPnP daemon by changing the URL to use a public-facing address.

If the device is vulnerable to injection, a simple SOAP/XML payload can be crafted by the attacker which will inject a malicious NAT entry.

This may allow bypassing of the router's firewall to gain access to the admin interface. A brute force attack may work since no rate limiting or alerting is usually present on the login dialog.


The fundamentals of network security are being redefined -- don't get left in the dark by a DDoS attack! Join us in Austin from May 14-16 at the fifth annual Big Communications Event. There's still time to register and communications service providers get in free!

Akamai found 765,000 -- 16% of the total 4.8 million scanned -- of the devices were confirmed to expose their vulnerable TCP implementations. Over 65,000 -- 9% of vulnerable, 1.3% of total -- of these vulnerable devices were discovered to have active NAT injections. The most-identified IP injected was found over 18.8 million times across 23,286 devices.

The second-most-injected IP showed up over 11 million times across 59,943 devices. A majority of the injections were found to target TCP ports 53 (15.9 million for DNS), 80 (9.5 million for HTTP), and 443 (155,000 for HTTPS)

The actual purpose of this proxy network is unclear. It could be used to avoid censorship. It could also be a way to hide spamming or click fraud. A botnet using this technique could carry out a distributed denial of service (DDoS) attack as well. Whatever the attackers do with it, this flaw allows them to hide the traffic that they cause.

End users will not be able to detect a vulnerability like this on their own. Disabling UPnP to stop future infections may affect the network in areas such as gaming or media streaming.

Akamai gives a list of known affected routers in its posting. There may be more the company has not enumerated. It may well be that the only way out in this case is to replace the affected routers with one that has been hardened. Consumers may not be happy at all to hear that.

Related posts:

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
Mobile App Fraud Jumped in Q1 as Attackers Pivot from Browsers
Jai Vijayan, Contributing Writer,  7/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15105
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
CVE-2020-11061
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
CVE-2020-4042
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
CVE-2020-11081
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
CVE-2020-6114
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...