Security → Re: UPNP Router Vulnerability

The Broadcom UPnP flaw that was discovered is NOT an issue with the chip themselves but with an implementation of UPnP made by Broadcom.

For example, Tomato firmware(which only works with Broadcom chips) is not vulnerable to the broadcom UPnP exploit as it uses a different library(miniupnpd).

Also see: »svn.dd-wrt.com/browser/s ··· c/upnp.c

Thank you. I realized that already but neglected to make that clear in my post. I had read that Tomato firmware use with a Broadcom chip was not vulnerable. It is, as you pointed out, the implementation of the UPnP made by Broadcom that allows the exploit.

There are layers of security issues.

- If UPNP is exposed to the external network (and the researchers found that many are), even if the UPNP implementation is not vulnerable to the stack overflow, remote code execution, denial of service, etc exploits that exist, that is still an insecure posture because a remote attacker could attempt to manipulate the router via UPNP requests.

- If, above and beyond that, the UPNP implementation is vulnerable to the many exploits that were discovered (and the researchers found that many of the WAN exposed implementations are), then you are really f*cked because a remote attacker may in the most severe case be able to execute arbitrary code on the router as a privileged user.

- It is not good enough if your router's UPNP implementation is not subject to the defects. Even in that case, it is also an insecure configuration if UPNP is exposed to the WAN. The essential weakness is that UPNP by and large, by design, accepts commands without authentication or authorization.

- The researchers even advise auditing LAN UPNP devices to determine the security impact so even that is potentially nonzero.

If I'm wrong about the above, show me why.