dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
share rss forum feed


StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2
reply to Dustyn

Re: UPNP Router Vulnerability

said by Dustyn:

If it's a security risk it's a risk I'm willing to take for additional compatibility with UPnP enabled services and devices.

Fair enough. I have firewall rules to restrict outgoing traffic (something many ignore). I really don't like the idea of some UPnP aware program (e.g. malware) poking holes in my firewall. Then again I'm paranoid
--
Don't feed trolls--it only makes them grow!

OZO
Premium
join:2003-01-17
kudos:2

1 recommendation

said by StuartMW:

I really don't like the idea of some UPnP aware program (e.g. malware) poking holes in my firewall. Then again I'm paranoid

If you have a malware inside your LAN poking holes in firewall - it's too late to care about forwarding ports, don't you think?

And on the other hand. I think potential security problems, introduced by UPnP are greatly exaggerated. For any malware it's far easier to make a simple outbound connection, when it needs, than open new listening port in computer, then, using UPnP, open firewall in the router and forward port from WAN side to that infected computer. Why one would want to overcome all these extra troubles, if in majority of cases it can simply make that outbound connection, pretending it's checking for update to a new version...

And finally, we discussed this subject quite recently in this thread - Security Flaws in Universal Plug-n-Play: Unplug, Don't Play.
--
Keep it simple, it'll become complex by itself...


sbconslt

join:2009-07-28
Los Angeles, CA

1 recommendation

This article explains what kind of attacks can be mounted against UPNP.

»www.ethicalhacker.net/content/view/220/24/

There is an attack scenario affecting some routers that only requires loading a malicious flash animation.

If the router's UPNP implementation accepts certain port forwarding configurations that it really shouldn't, it's possible to open the administration interface to the WAN, or turn the router effectively into a WAN proxy.
--
Scott Brown Consulting

scottp99

join:2010-12-11

1 edit
So my question is what would an average user do if the tests comes up as FAILED?
How would an average tech user know which router to get as a replacement that is not vulnerable to this?

I have UPNP DISABLED on the LAN side, but I cannot find in the config settings for UPNP on my WRVS4400N v2 router thats on the WAN side.
Now, I have Remote WAN Administration disabled, does that disable the UPNP on the WAN side?

Anyways, as you all can see from my print screen, I PASSED the test. But still, I cannot find the Enable/Disable setting for this on the WAN side.


sbconslt

join:2009-07-28
Los Angeles, CA

1 recommendation

There's no control for UPNP to the WAN because UPNP is never supposed to face the WAN deliberately. In cases where it is found to, it is the result of unintentional misimplementation in the firmware, and it's a huge defect and egregious security issue, as you understand.

If you go and reread the other thread »Security Flaws in Universal Plug-n-Play: Unplug, Don't Play you'll see that reiterated, repeatedly.

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5
said by sbconslt:

There's no control for UPNP to the WAN because UPNP is never supposed to face the WAN deliberately. In cases where it is found to, it is the result of unintentional misimplementation in the firmware, and it's a huge defect and egregious security issue, as you understand.

If you go and reread the other thread »Security Flaws in Universal Plug-n-Play: Unplug, Don't Play you'll see that reiterated, repeatedly.

No. It is NOT an issue unless the router has a Broadcom chip. My router does not. linksy does not list any of the versions of my router as being vulnerable.GRC says is is vulnerable but I don't believe it is because it doesn't have the Broadcom chip in which the vulnerability is found. Read the discussion in the other thread. Read the Defense Code paper.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson


Mangix

join:2012-02-16
united state

1 recommendation

The Broadcom UPnP flaw that was discovered is NOT an issue with the chip themselves but with an implementation of UPnP made by Broadcom.

For example, Tomato firmware(which only works with Broadcom chips) is not vulnerable to the broadcom UPnP exploit as it uses a different library(miniupnpd).

Also see: »svn.dd-wrt.com/browser/src/route···c/upnp.c

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5
Thank you. I realized that already but neglected to make that clear in my post. I had read that Tomato firmware use with a Broadcom chip was not vulnerable. It is, as you pointed out, the implementation of the UPnP made by Broadcom that allows the exploit.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson


sbconslt

join:2009-07-28
Los Angeles, CA

1 edit

2 recommendations

There are layers of security issues.

- If UPNP is exposed to the external network (and the researchers found that many are), even if the UPNP implementation is not vulnerable to the stack overflow, remote code execution, denial of service, etc exploits that exist, that is still an insecure posture because a remote attacker could attempt to manipulate the router via UPNP requests.

- If, above and beyond that, the UPNP implementation is vulnerable to the many exploits that were discovered (and the researchers found that many of the WAN exposed implementations are), then you are really f*cked because a remote attacker may in the most severe case be able to execute arbitrary code on the router as a privileged user.

- It is not good enough if your router's UPNP implementation is not subject to the defects. Even in that case, it is also an insecure configuration if UPNP is exposed to the WAN. The essential weakness is that UPNP by and large, by design, accepts commands without authentication or authorization.

- The researchers even advise auditing LAN UPNP devices to determine the security impact so even that is potentially nonzero.

If I'm wrong about the above, show me why.
--
Scott Brown Consulting