Security → UPNP Router Vulnerability

With this recent MEGA security Vulnerability in most routers, how can one know if a particular router is secure from this?

Suppose ones router fails this test like from the GRC website (mine PASSED like the one from the print screen), then security experts say to buy a new router....But with that said, how can one know if that "new" router is secure or not? So how would one know when purchasing a new router will actually pass or fail this test?

One cannot just open up the box at a store and go to GRC to test it..:) if that router passes or fails....Hope you all understand what I mean here. So what routers are in fact vulnerable?

Is there like certain model/brands of routers to avoid when shopping for a new one? Is there a list?

»blogs.computerworld.com/ ··· hor-does

So my question would be this.

Now what if one did this test and comes up as FAIL, then most security experts say to replace the router. But how would one know which replacement router does not have this vulnerability when shopping for a new one?

Thanks

There's no vulnerability here, UPnP is a valid option in almost all (if not all) routers that you as the network administrator must decide to disable/enable.

Actually there IS a vulnerability ... MANY routers ship with UPnP enabled and active, unprotected, on the WAN INTERFACE. That's what was recently publicized, and that's what GRC's UPnP vulnerability test is checking for.

This was discussed in excruciating detail in the first hour of last week's SecurityNow podcast:

GRC | Security Now! Episode Archive 
»www.grc.com/securitynow.htm

Episode #389 | 30 Jan 2013 | 91 min.
Listener Feedback #159 & UPnP Exposure Disaster

Leo and I discuss the week's major security events—and the disastrous news of 81 million exposed vulnerable routers!

You can check before buying a router. It is those with a Broadcom chip that are vulnerable. Linksy has a list on their website of the vulnerable ones they make...all recent ones. My Linksy is too old and does not have a Broadcom chip. It is so old that third party firmware cannot be put on it as the flash memory is too small.

I have UPnP ENABLED on my Cisco WRVS4400N v2 and this is the result I got. So I'm guessing I'm okay in regards to this particular vulnerability?

Here is a list: »www.kb.cert.org/vuls/byv ··· hOrder=4

TH

said by Cisco.com :

---

The following Cisco bug IDs are being used to track potential exposure to the UPnP issues. The bugs listed below do not confirm that a product is vulnerable, but rather that the product is under investigation by the appropriate product teams.

PRODUCT: Cisco WRVS4400N Wireless-N Gigabit Security Router
BUG ID: CSCue21578

---

Since the WRVS4400N v1 is quite different than the WRVS400N v2, it's yet to be determined if either version is affected.

Um, why? I have UPnP disabled altogether (on router and all PC's). I consider UPnP (anywhere) to be a security risk.

That tool tests the WAN exposure. The LAN exposure has to be tested from the LAN. Rapid7 has a tool here »www.rapid7.com/resources ··· 2013.jsp be aware it requires JRE to be present.

If it's a security risk it's a risk I'm willing to take for additional compatibility with UPnP enabled services and devices.
I have yet to experience a single security issue with UPnP on my own private network at home, nor have I had any other complaints about UPnP and find it works rather well.
A corporate business environment is a different story. Please understand I'm not recommending other users to have it ENABLED. This is strictly my own personal preference on UPnP... and that is it.

Fair enough. I have firewall rules to restrict outgoing traffic (something many ignore). I really don't like the idea of some UPnP aware program (e.g. malware) poking holes in my firewall. Then again I'm paranoid

If you have a malware inside your LAN poking holes in firewall - it's too late to care about forwarding ports, don't you think?

And on the other hand. I think potential security problems, introduced by UPnP are greatly exaggerated. For any malware it's far easier to make a simple outbound connection, when it needs, than open new listening port in computer, then, using UPnP, open firewall in the router and forward port from WAN side to that infected computer. Why one would want to overcome all these extra troubles, if in majority of cases it can simply make that outbound connection, pretending it's checking for update to a new version...

And finally, we discussed this subject quite recently in this thread - Security Flaws in Universal Plug-n-Play: Unplug, Don't Play.

This article explains what kind of attacks can be mounted against UPNP.

»www.ethicalhacker.net/co ··· /220/24/

There is an attack scenario affecting some routers that only requires loading a malicious flash animation.

If the router's UPNP implementation accepts certain port forwarding configurations that it really shouldn't, it's possible to open the administration interface to the WAN, or turn the router effectively into a WAN proxy.

So my question is what would an average user do if the tests comes up as FAILED?
How would an average tech user know which router to get as a replacement that is not vulnerable to this?

I have UPNP DISABLED on the LAN side, but I cannot find in the config settings for UPNP on my WRVS4400N v2 router thats on the WAN side.
Now, I have Remote WAN Administration disabled, does that disable the UPNP on the WAN side?

Anyways, as you all can see from my print screen, I PASSED the test. But still, I cannot find the Enable/Disable setting for this on the WAN side.

There's no control for UPNP to the WAN because UPNP is never supposed to face the WAN deliberately. In cases where it is found to, it is the result of unintentional misimplementation in the firmware, and it's a huge defect and egregious security issue, as you understand.

If you go and reread the other thread »Security Flaws in Universal Plug-n-Play: Unplug, Don't Play you'll see that reiterated, repeatedly.

No. It is NOT an issue unless the router has a Broadcom chip. My router does not. linksy does not list any of the versions of my router as being vulnerable.GRC says is is vulnerable but I don't believe it is because it doesn't have the Broadcom chip in which the vulnerability is found. Read the discussion in the other thread. Read the Defense Code paper.

The Broadcom UPnP flaw that was discovered is NOT an issue with the chip themselves but with an implementation of UPnP made by Broadcom.

For example, Tomato firmware(which only works with Broadcom chips) is not vulnerable to the broadcom UPnP exploit as it uses a different library(miniupnpd).

Also see: »svn.dd-wrt.com/browser/s ··· c/upnp.c

Thank you. I realized that already but neglected to make that clear in my post. I had read that Tomato firmware use with a Broadcom chip was not vulnerable. It is, as you pointed out, the implementation of the UPnP made by Broadcom that allows the exploit.

There are layers of security issues.

- If UPNP is exposed to the external network (and the researchers found that many are), even if the UPNP implementation is not vulnerable to the stack overflow, remote code execution, denial of service, etc exploits that exist, that is still an insecure posture because a remote attacker could attempt to manipulate the router via UPNP requests.

- If, above and beyond that, the UPNP implementation is vulnerable to the many exploits that were discovered (and the researchers found that many of the WAN exposed implementations are), then you are really f*cked because a remote attacker may in the most severe case be able to execute arbitrary code on the router as a privileged user.

- It is not good enough if your router's UPNP implementation is not subject to the defects. Even in that case, it is also an insecure configuration if UPNP is exposed to the WAN. The essential weakness is that UPNP by and large, by design, accepts commands without authentication or authorization.

- The researchers even advise auditing LAN UPNP devices to determine the security impact so even that is potentially nonzero.

If I'm wrong about the above, show me why.

The one thing I wonder is, if someone's router is vulnerable, can that vulnerability be mitigated by forwarding wan port UDP 1900 to a non existent lan address, or to a non-listening port on a lan device?

Unfortunately, I don't have a vulnerable device to horse around with.