There are layers
of security issues.
- If UPNP is exposed to the external network (and the researchers found that many are), even if the UPNP implementation is not vulnerable to the stack overflow, remote code execution, denial of service, etc exploits that exist, that is still
an insecure posture because a remote attacker could attempt to manipulate the router via UPNP requests.
- If, above and beyond that, the UPNP implementation is vulnerable to the many exploits that were discovered (and the researchers found that many of the WAN exposed implementations are), then you are really f*cked because a remote attacker may in the most severe case be able to execute arbitrary code on the router as a privileged user.
- It is not good enough if your router's UPNP implementation is not subject to the defects. Even in that case, it is also an insecure configuration if UPNP is exposed to the WAN. The essential weakness is that UPNP by and large, by design, accepts commands without authentication or authorization.
- The researchers even advise auditing LAN
UPNP devices to determine the security impact so even that is potentially nonzero.
If I'm wrong about the above, show me why.--
Scott Brown Consulting