dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
share rss forum feed

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5
reply to Mangix

Re: UPNP Router Vulnerability

Thank you. I realized that already but neglected to make that clear in my post. I had read that Tomato firmware use with a Broadcom chip was not vulnerable. It is, as you pointed out, the implementation of the UPnP made by Broadcom that allows the exploit.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson


sbconslt

join:2009-07-28
Los Angeles, CA

1 edit

2 recommendations

There are layers of security issues.

- If UPNP is exposed to the external network (and the researchers found that many are), even if the UPNP implementation is not vulnerable to the stack overflow, remote code execution, denial of service, etc exploits that exist, that is still an insecure posture because a remote attacker could attempt to manipulate the router via UPNP requests.

- If, above and beyond that, the UPNP implementation is vulnerable to the many exploits that were discovered (and the researchers found that many of the WAN exposed implementations are), then you are really f*cked because a remote attacker may in the most severe case be able to execute arbitrary code on the router as a privileged user.

- It is not good enough if your router's UPNP implementation is not subject to the defects. Even in that case, it is also an insecure configuration if UPNP is exposed to the WAN. The essential weakness is that UPNP by and large, by design, accepts commands without authentication or authorization.

- The researchers even advise auditing LAN UPNP devices to determine the security impact so even that is potentially nonzero.

If I'm wrong about the above, show me why.
--
Scott Brown Consulting