Thursday, January 31, 2013
PSA Security & Hacking: UPnP (Universal Plug and Play ) Vulnerability
Security Now 389 "Unplug UPnP" links for audio downloads & etc http://twit.tv/show/security-now/389
[Edited to Add: Steve Gibson has UPnP exposure test in Shields up now! Thanks Steve!! https://twitter.com/SGgrc/status/297165652257554432]
CERT Note http://www.kb.cert.org/vuls/id/922681
US CERT "Multiple vulnerabilities have been announced in libupnp, the open source portable SDK for UPnP devices. Libupnp is employed by hundreds of vendors for UPnP-enabled devices. Information is also available in CERT Vulnerability Note VU#922681.
US-CERT recommends that affected UPnP device vendors and developers obtain and employ libupnp version 1.6.18, which addresses these vulnerabilities.
US-CERT recommends that users and administrators review CERT Vulnerability Note VU#922681, disable UPnP (if possible), and restrict access to SSDP (1900/udp) and Simple Object Access Protocol (SOAP) services from untrusted networks such as the Internet." ~http://www.us-cert.gov/current/
Steve Gibson provides details on this issue, he also notes in the VOD above that he is going to add the capability to test for this Vulnerability to his ShieldsUP service/software.
Problem with this, is even if you disable UPnP on your Router, it may still be enabled on the WAN (Internet) side.
Till Gibson gets this functionality added to ShieldsUP, not sure how most people could scan for it to be sure it was disabled on their routers.
Hard Core Nerds with correct tools could Pen Test individual Routers, but not aware of any practical way to test for people that don't have the skillset and tools for Pen Testing.
AFAIK the Rapid7 tool isn't stable/reliable, least it wasn't yeasterday for many people, it may have been patched since then, but not comfortable recommending it at this time.
I wouldn't trust vulnerability list from any Manufacturer on this, because it is a very bad case of stupid to have in the first place.
I haven't had enough time to find out if Tomato http://en.wikibooks.org/wiki/Tomato_Firmware#Supported_devices or DD WRT http://www.dd-wrt.com/site/index provide a guaranteed fix for this yet.