Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

Unplug Universal Plug And Play: Security Warning

Tens of millions of devices with UPnP are remotely exploitable, warns Metasploit creator. New tool detects vulnerable devices, which include 6,900 different product versions spanning 1,500 vendors.

More than 23 million Internet-connected devices are vulnerable to being exploited by a single UDP packet, while tens of millions more are at risk of being remotely exploited.

That warning was issued Tuesday by vulnerability management and penetration testing firm Rapid7, which said its researchers spent six months studying how many universal plug and play (UPnP) devices are connected to the Internet -- and what the resulting security implications might be. The full findings have been documented in a 29-page report, "Security Flaws In Universal Plug and Play."

"The results were shocking, to the say the least," according to a blog post from report author HD Moore, chief security officer of Rapid7 and the creator of the open source penetration testing toolkit Metasploit. "Over 80 million unique IPs were identified that responded to UPnP discovery requests from the Internet."

UPnP is a set of standardized protocols and procedures that are designed to make network-connected and wireless devices easy to use. Devices that use the protocol -- which is aimed more at residential users rather than enterprises -- include everything from routers and printers to network-attached storage devices and smart TVs.

[ Despite Oracle's efforts to fix Java-related vulnerabilities, Java Security Work Remains, Bug Hunter Says. ]

Despite its convenience, approximately 45 million of the UPnP-using IP addresses spotted by Rapid7 led to a device that's vulnerable to one of three attacks, which are outlined in the company's report. "All told, we were able to identify over 6,900 product versions that were vulnerable through UPnP. This list encompasses over 1,500 vendors and only took into account devices that exposed the UPnP SOAP service to the Internet, a serious vulnerability in of itself," Moore said.

"We strongly suggest that end users, companies and ISPs take immediate action to identify and disable any Internet-exposed UPnP endpoints in their environments," said Moore. "UPnP is pervasive -- it is enabled by default on many home gateways, nearly all network printers and devices ranging from IP cameras to network storage servers."

To help people spot vulnerable UPnP devices, Rapid7 released ScanNow for Universal Plug and Play. The free scanner for Windows can be used to "identify exposed UPnP endpoints in your network and flag which of those may [be] remotely exploitable through recently discovered vulnerabilities," said Moore. The exploitable vulnerabilities have already been added to the Metasploit open source penetration testing framework.

One of the most likely targets of a UPnP attack would be routers, since attackers could alter the DNS settings to point the device to an attacker-controlled server. At that point, the attacker could use the router to send spam, run a clickjacking scam to profit from false advertising impressions, or even eavesdrop on all traffic being sent through the device.

Interestingly, Moore found that 73% of all discovered Internet-facing UPnP instances were built with one of just four software development kits, and versions of two of those kits -- MiniUPnPd and Portable SDK for UPnP -- contain remotely exploitable vulnerabilities. "In the case of the Portable SDK for UPnP, over 23 million IPs are vulnerable to remote code execution through a single UDP packet," he said.

Some of the exploitable flaws have already been patched in the software development toolkits, such as Portable UPnP SDK version 1.6.18, which was released this week. But even with the SDK fixes, don't expect patches to be released for most of the vulnerable devices. "It will take a long time before each of the application and device vendors incorporate this patch into their products," said Moore. "In most cases, network equipment that is 'no longer shipping' will not be updated at all, exposing these users to remote compromise until UPnP is disabled or the product is swapped for something new."

Indeed, the exploitable flaws spotted in the MiniUPnP SDK were excised from the software more than two years ago. "Yet over 330 products are still using older versions," said Moore.

This isn't the first security warning involving UPnP devices. For example, US-CERT issued a security alert in 2008 after finding that the devices could be exploited via a malicious Flash file, which could be used to infect a victim's system and then take control over any connected device that supports UPnP. In 2001, meanwhile, researchers at eEye warned that vulnerabilities in Microsoft's implementation of UPnP -- later patched -- could be exploited to trigger a buffer overflow and give an attacker access to any default installation of Windows XP.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-20092
PUBLISHED: 2021-05-13
File Upload vulnerability exists in ArticleCMS 1.0 via the image upload feature at /admin by changing the Content-Type to image/jpeg and placing PHP code after the JPEG data, which could let a remote malicious user execute arbitrary PHP code.
CVE-2020-21342
PUBLISHED: 2021-05-13
Insecure permissions issue in zzcms 201910 via the reset any user password in /one/getpassword.php.
CVE-2020-25713
PUBLISHED: 2021-05-13
A malformed input file can lead to a segfault due to an out of bounds array access in raptor_xml_writer_start_element_common.
CVE-2020-27823
PUBLISHED: 2021-05-13
A flaw was found in OpenJPEG’s encoder. This flaw allows an attacker to pass specially crafted x,y offset input to OpenJPEG to use during encoding. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
CVE-2020-27830
PUBLISHED: 2021-05-13
A vulnerability was found in Linux Kernel where in the spk_ttyio_receive_buf2() function, it would dereference spk_ttyio_synth without checking whether it is NULL or not, and may lead to a NULL-ptr deref crash.