dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
2526
smrtech
join:2009-09-21
Springfield, PA

smrtech

Member

Common Router Security Flaw - You Want to Check This!

I don't use the M1424WR for my FIOS, but you may want
to check this quick test to see if you are exposing your
network to a common UPnP implementation bug that
is incredibly common.

The bug is that UPnP is unnecessarily exposed on the WAN
side of the router, when it only really makes sense on the
LAN side. Hopefully the Actiontec doesn't have this issue,
but curious as many routers have this flaw. It should never
be available for negotiate on the WAN side, but it is on
many routers. Hope this isn't an issue with the ActionTec,
but if it is on any model, please report! Verizon will want
to know that. Hopefully not...

Here are the details about it:

There is an entire TechGuy Podcast about it would explains
the flaw. But a quick explaination can be found here:

»www.grc.com/su/UPnP-Exposed.htm

Steve Gibson, Security expert wrote this quick test.

Quick Test:

Click ShieldsUp!, then scroll down to "UPnP Exposure Test!"
and then "Proceed" and you want to run the UPnP Exposure Test

»www.grc.com/intro.htm
knarf829
join:2007-06-02

knarf829

Member

MI-424WR Rev F. w/ Firmware 20.19.8
jcondon
join:2000-05-27
Fishkill, NY

jcondon

Member

I got the same response on my Actiontech mi424wr Rev F. Assume the same firmware as you but I am not home to check.

There is also the WPS exploit. Which the Actiontech's don't support either (so no worries there).

»www.grc.com/sn/sn-335.txt

Gary A
join:2008-03-02
Odessa, FL

Gary A to knarf829

Member

to knarf829
UPnP is turned off on my Actiontec, so I got the same "did not respond" result.

guppy_fish
Premium Member
join:2003-12-09
Palm Harbor, FL

1 edit

guppy_fish to smrtech

Premium Member

to smrtech
This post belongs in the security forums not FIOS

Also that page doesn't work right, it reports my router at IP 10.1.1.1 is responding to UPNP ... lol ( is a non routeable IP and can't be accessed from the WAN )

The details say I'm on a linux server that is at 192.168.0.1 , nothing in my network uses that IP

Complete waste of a test
knarf829
join:2007-06-02

1 edit

knarf829

Member

Yeah - what does Steve Gibson know about Internet security anyway?

As this is specifically about FiOS routers, it seems appropriate here. The flaw is router specific.
mikev
Premium Member
join:2002-05-04
Leesburg, VA
·Verizon FiOS
(Software) pfSense
Panasonic KX-TGP600

1 recommendation

mikev to smrtech

Premium Member

to smrtech
I ran this test last night with UPnP both off and on... both times it said I was not vulnerable, so it seems that the Rev I router with the latest firmware has UPnP set up properly, with no visibility on the WAN side.

For the record, I leave UPnP off anyway.
knarf829
join:2007-06-02

1 edit

1 recommendation

knarf829

Member

This has nothing to do with the LAN UPnP setting in the router. It's a bug, not a setting, that opens WAN UPnP to the outside world in some routers.

(EDIT TO CORRECT: Yes, turning LAN UPnP off will apparently disable the WAN bug if you have it - didn't mean to leave the impression it wouldn't)
Zifnab
join:2008-03-30
Pittsburgh, PA

Zifnab to smrtech

Member

to smrtech
Verizon is saying that they've tested 'the majority' of their customer CPE and none of them have this flaw. Not sure what constitutes majority, but I know at least the Actiontecs and Westells are unaffected.
nyrrule27
join:2007-12-06
Howell, NJ

nyrrule27 to smrtech

Member

to smrtech
"Verizon is aware of a recently-announced vulnerability that may potentially affect certain versions of the Universal Plug-and-Play software on a variety of devices such as Home Routers, Modems, and Gateways that use this feature.

Verizon investigated a wide range of equipment, which covers the vast majority of our FiOS and DSL customers. None of the devices investigated were identified as being vulnerable. Verizon will continue its investigation to ensure all potentially vulnerable devices are identified.

Additional customer information is available to the customer at www.verizon.com/virushelp. Verizon will update this website with additional information as it becomes available."

birdfeedr
MVM
join:2001-08-11
Warwick, RI

birdfeedr to guppy_fish

MVM

to guppy_fish
said by guppy_fish:

Also that page doesn't work right, it reports my router at IP 10.1.1.1 is responding to UPNP ... lol ( is a non routeable IP and can't be accessed from the WAN )
The details say I'm on a linux server that is at 192.168.0.1 , nothing in my network uses that IP

Did you click this link, which is an example of exposed UPnP vulnerability result? »www.grc.com/su/UPnP-Exposed.htm

or did you click this link, then click Services/ShieldsUP!, then run the UPnP test? »www.grc.com/intro.htm

The first link displays example results exactly like you reported. Use the second link. Your Actiontec primary router will not show the vulnerability. DD-WRT on my Asus doesn't either.

Also, some broadband system routers using PPPoE present non-routable WAN addresses because they are aggregated further upstream (if I'm using the correct terminology). Does FiOS MDU ONTs using VDSL do this? Maybe.
knarf829
join:2007-06-02

knarf829

Member

said by birdfeedr:

said by guppy_fish:

Also that page doesn't work right, it reports my router at IP 10.1.1.1 is responding to UPNP ... lol ( is a non routeable IP and can't be accessed from the WAN )
The details say I'm on a linux server that is at 192.168.0.1 , nothing in my network uses that IP

Did you click this link, which is an example of exposed UPnP vulnerability result? »www.grc.com/su/UPnP-Exposed.htm

or did you click this link, then click Services/ShieldsUP!, then run the UPnP test? »www.grc.com/intro.htm


guppy_fish
Premium Member
join:2003-12-09
Palm Harbor, FL

guppy_fish to smrtech

Premium Member

to smrtech
I click the link in the OP's post

Just did the other one, had to find via the menu the other test, to find ... its no issue ...

As I said, this is a security forum topic, nothing to do with FIOS
mikev
Premium Member
join:2002-05-04
Leesburg, VA
·Verizon FiOS
(Software) pfSense
Panasonic KX-TGP600

mikev to birdfeedr

Premium Member

to birdfeedr
said by birdfeedr:

Does FiOS MDU ONTs using VDSL do this? Maybe.

Nope. I'm on one... My router has its own public WAN address. Also, I don't use PPPoE... My modem provides an ethernet connection that the router plugs into. The router just uses DHCP to get its IP address, no PPPoE.

Dream Killer
Graveyard Shift
Premium Member
join:2002-08-09
Forest Hills, NY

4 edits

Dream Killer to smrtech

Premium Member

to smrtech
If the router has the UPNP flaw, just explicitly block UDP Port 1900 and TCP Port 5000 through the firewall.

For FiOS MI424wr:

Go to Firewall Settings on the top bar then to "Advanced filtering". On the "Inbound" area (the top table), click "Add" to the right of Broadband Connection. It's either Ethernet or Coax, choose whichever your internet is hooked up to.

Click the drop down "Protocol", and pick on "User Defined". Add server ports, "protocol" is UDP, "source" is "Any" and destination is single range port 1500. Click apply and repeat the previous step for TCP 5000. Name the service something, I call it "Upnp-flaw", then click apply.

It should bring you back to the "Add Advanced Filter" page. Make sure operation is "Drop Packets" then click Apply. Your page should now look like this:


UPNP Filter


Just to demonstrate that it works, I enabled logging for the rule and ran the test again at GRC. Here's what I got after two passed tests:


It works!


I looked up who that packet belonged to and it did originate from the GRC test:


Blocked packet belongs to GRC.


This rule should be added if you use UPnP. It will only drop the packets coming in from the WAN side and will have no effects on the normal use of UPnP.