Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

1/29/2013
04:28 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Millions Of Networked Devices In Harm's Way

Unplug Universal Plug And Play (UPnP) to protect routers, storage devices, media players from getting hacked over the Internet, Rapid7 says

Between 40 and 50 million networked devices are wide open to attack over the Internet via flaws in the pervasive Universal Plug and Play (UPnP) protocol that's enabled by default in most printers, routers, network-attached storage, IP cameras, media players, smart TVs, and even video game consoles.

A report published today by Rapid7 and spearheaded by its chief security officer HD Moore -- who for some time now under the Critical.io project has been scanning for vulnerable devices facing the Internet -- reveals several newly discovered vulnerabilities in UPnP that could be abused by attackers to remotely hack into enterprise or consumer networks via UPnP-enabled devices like printers and routers.

Some 81 million different IP addresses responded to Rapid7's UPnP discovery requests over the Internet, 40- to 50 million of which are vulnerable to at least one of three types of attacks the firm has identified, and more than 6,900 different products from 1,500 vendors. Among the brands of products Rapid7 found it its scans were Cisco Systems, D-Link, HP, NetGear, and Siemens. UPnP is basically a protocol for discovering and controlling network devices, and also is used in Microsoft Windows "Add Device" wizard, for example.

Rapid7 is warning organizations and consumers to disable UPnP immediately, or only run products that don't use UPnP. The vulnerabilities Rapid7 found in one of the most popular UPnP software library programs used in various devices -- Portable UPnP SDK -- were patched today with release 1.6.18, and the bugs it found in MiniUPnP software had actually been fixed more than two years ago: even so, some 330 vendors still run older versions of that software, according to Rapid7's findings.

All it would take is a single UDP packet to exploit devices that use Portable UPnP SDK, according to Moore, and Rapid7 found more than 23 million IPs vulnerable to this.

But disabling UPnP isn't so simple, nor is getting all of the device vendors on board to do the necessary fixes. "Most organizations don't realize they even use UPnP, and disabling it can be tricky -- not all devices support this," Moore says.

The researchers found three types of flaws: programming bugs in common UPnP discovery protocol (SSDP) implementations that can be used by an attacker to crash the service and run malicious code; the UPnP control interface, Simple Object Access Protocol (SOAP), exposes private networks to attacks on the outside Internet and can leak sensitive data; and programming flaws in the UPnP HTTP and SOAP implementations, which can also be used to crash the service and run malicious code.

Rapid7's Moore says some 17 million devices actually exposed the UPnP SOAP service. "The tricky part was figuring out what actual products were affected, what we finally found was that enough of these devices were misconfigured to expose SOAP to the world that we could use the SOAP XML page to do device fingerprinting, and from there start the notification process with CERT/CC," he says.

US-CERT has issued an advisory on the UPnP vulnerabilities and also recommended disabling UpnP if possible. Cisco was one of the first vendors to issue its own advisory, that says it's currently "evaluating" its products for exposure to the bugs. Cisco did confirm that most of its enterprise products are immune because they don't use UPnP: products running IOS, IOS-XE, IOS-XR, and NX-OS are not vulnerable, nor are its ASA Series Adaptive Security Appliance and the Firewall Services Modules.

[UPDATE]:Cisco's Linksys group, meanwhile, confirmed that several of its products are affected by the UPnP flaws, including the E900, E1200 v2, E1000 v2.1, E1500, M10 v2, WRT610N v1, and WRT610N v2. "We recommend Linksys customers visit our website to understand if their home router is affected, and learn how to disable UPnP through the user interface to avoid being impacted," Linksys said in a statement.

For Internal Use Only
UPnP was not meant for external Internet use: vendors have provided poor implementations of the protocol that put these millions of devices at risk, security experts say. And mostly at direct risk are smaller organizations and consumers, security experts say.

"What you're seeing here is attackers can hijack network connections and gain a foothold into, generally, home networks, and possibly some small businesses as well," says security researcher Dan Kaminsky. "Enterprise hardware doesn't typically use UPnP. It's a legitimate and necessary service for allowing devices to interact with their local network configurations ... It's only designed for inside the network. It just happened that in all of these devices [found by Rapid7, it's] unnecessarily exposing them to the outside world."

"Quite literally, some 50 million devices are exposed to a service that was designed only for internal [network] use," Kaminsky says.

A typical home network has one or two UPnP devices, and typical "geek" has three to four in his or her home network, Moore says. "Most companies will have between three to five per corporate network. Most office printers, network scanners, and media servers, support this," for example, he says.

What's scary is that many organizations and consumers will likely be stuck with UPnP still enabled on their devices, even with the US-CERT alert out today announcing the bugs, and the new software release and alerts from vendors. "It is a convoluted path to fix these things, and pretty unlikely that the vendors can substantially improve the situation," Moore says. "Most vendors only support the most recent devices they sell, in some cases, they have a huge number of products."

Linksys products, for example, use three- to four different UPnP implementations, depending on the model or version of the device, he says. "If the device is no longer supported by the vendor, the user is out of luck, besides turning off UPnP or replacing it," he says. "To make things worse, it seems some ISPs provide UPnP-enabled routers to their customers, and they are expensive to fix."

Many smaller vendors won't likely bother fixing the flaws, or their customers won't know there's a security update available, says Thomas Kristensen, CSO of Secunia. "And most users who aren't very knowledgeable about managing such devices will probably bail out and leave the device," he says.

The good news, however, is that there have been few widespread attacks via UPnP to date, he says. "But a higher level of visibility [about the threat now] may change that," Moore warns.

Next Page: Free Scanning Tool For UPnP

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Deirdre Blake
50%
50%
Deirdre Blake,
User Rank: Apprentice
1/30/2013 | 7:25:44 PM
re: Millions Of Networked Devices In Harm's Way
-Yeah, doom and gloom keep flowing in a steady stream when it comes to security in the Information Age; but hey, at least iPhone 6.1 comes with some positive news! http://is.gd/c4miSM
lancop
50%
50%
lancop,
User Rank: Moderator
1/30/2013 | 3:34:48 PM
re: Millions Of Networked Devices In Harm's Way
Interesting conundrum: security researchers find "hidden" vulnerabilities, tell everyone (including hackers) how they can be exploited, suggest unplugging important devices that can't be secured, and then probably move on to find vulnerabilities somewhere else. Meanwhile, most people are just trying to make a living doing something useful but find themselves constantly defending their "information systems" from internet attackers. Welcome to "The Information Age" - are we having fun yet?
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25826
PUBLISHED: 2020-09-23
PingID Integration for Windows Login before 2.4.2 allows local users to gain privileges by modifying CefSharp.BrowserSubprocess.exe.
CVE-2020-25821
PUBLISHED: 2020-09-23
** UNSUPPORTED WHEN ASSIGNED ** peg-markdown 0.4.14 has a NULL pointer dereference in process_raw_blocks in markdown_lib.c. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
CVE-2020-3130
PUBLISHED: 2020-09-23
A vulnerability in the web management interface of Cisco Unity Connection could allow an authenticated remote attacker to overwrite files on the underlying filesystem. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by sending a crafted HTTP re...
CVE-2020-3133
PUBLISHED: 2020-09-23
A vulnerability in the email message scanning of Cisco AsyncOS Software for Cisco Email Security Appliance (ESA) could allow an unauthenticated, remote attacker to bypass configured filters on the device. The vulnerability is due to improper validation of incoming emails. An attacker could exploit t...
CVE-2020-3135
PUBLISHED: 2020-09-23
A vulnerability in the web-based management interface of Cisco Unified Communications Manager (UCM) could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected device. The vulnerability is due to insufficient CSRF protections for the web-based...