smrtech join:2009-09-21 Springfield, PA |
smrtech
Member
2013-Feb-12 11:14 am
Common Router Security Flaw - You Want to Check This!I don't use the M1424WR for my FIOS, but you may want to check this quick test to see if you are exposing your network to a common UPnP implementation bug that is incredibly common. The bug is that UPnP is unnecessarily exposed on the WAN side of the router, when it only really makes sense on the LAN side. Hopefully the Actiontec doesn't have this issue, but curious as many routers have this flaw. It should never be available for negotiate on the WAN side, but it is on many routers. Hope this isn't an issue with the ActionTec, but if it is on any model, please report! Verizon will want to know that. Hopefully not... Here are the details about it: There is an entire TechGuy Podcast about it would explains the flaw. But a quick explaination can be found here: » www.grc.com/su/UPnP-Exposed.htmSteve Gibson, Security expert wrote this quick test. Quick Test: Click ShieldsUp!, then scroll down to "UPnP Exposure Test!" and then "Proceed" and you want to run the UPnP Exposure Test » www.grc.com/intro.htm |
|
|
|
MI-424WR Rev F. w/ Firmware 20.19.8 |
|
|
jcondon
Member
2013-Feb-12 11:49 am
I got the same response on my Actiontech mi424wr Rev F. Assume the same firmware as you but I am not home to check. There is also the WPS exploit. Which the Actiontech's don't support either (so no worries there). » www.grc.com/sn/sn-335.txt |
|
Gary A join:2008-03-02 Odessa, FL |
to knarf829
UPnP is turned off on my Actiontec, so I got the same "did not respond" result. |
|
guppy_fish Premium Member join:2003-12-09 Palm Harbor, FL 1 edit |
to smrtech
This post belongs in the security forums not FIOS
Also that page doesn't work right, it reports my router at IP 10.1.1.1 is responding to UPNP ... lol ( is a non routeable IP and can't be accessed from the WAN )
The details say I'm on a linux server that is at 192.168.0.1 , nothing in my network uses that IP
Complete waste of a test |
|
1 edit |
Yeah - what does Steve Gibson know about Internet security anyway?
As this is specifically about FiOS routers, it seems appropriate here. The flaw is router specific. |
|
mikev Premium Member join:2002-05-04 Leesburg, VA ·Verizon FiOS (Software) pfSense Panasonic KX-TGP600
1 recommendation |
to smrtech
I ran this test last night with UPnP both off and on... both times it said I was not vulnerable, so it seems that the Rev I router with the latest firmware has UPnP set up properly, with no visibility on the WAN side.
For the record, I leave UPnP off anyway. |
|
1 edit
1 recommendation |
This has nothing to do with the LAN UPnP setting in the router. It's a bug, not a setting, that opens WAN UPnP to the outside world in some routers.
(EDIT TO CORRECT: Yes, turning LAN UPnP off will apparently disable the WAN bug if you have it - didn't mean to leave the impression it wouldn't) |
|
Zifnab join:2008-03-30 Pittsburgh, PA |
to smrtech
Verizon is saying that they've tested 'the majority' of their customer CPE and none of them have this flaw. Not sure what constitutes majority, but I know at least the Actiontecs and Westells are unaffected. |
|
|
to smrtech
"Verizon is aware of a recently-announced vulnerability that may potentially affect certain versions of the Universal Plug-and-Play software on a variety of devices such as Home Routers, Modems, and Gateways that use this feature.
Verizon investigated a wide range of equipment, which covers the vast majority of our FiOS and DSL customers. None of the devices investigated were identified as being vulnerable. Verizon will continue its investigation to ensure all potentially vulnerable devices are identified.
Additional customer information is available to the customer at www.verizon.com/virushelp. Verizon will update this website with additional information as it becomes available." |
|
|
to guppy_fish
said by guppy_fish:Also that page doesn't work right, it reports my router at IP 10.1.1.1 is responding to UPNP ... lol ( is a non routeable IP and can't be accessed from the WAN ) The details say I'm on a linux server that is at 192.168.0.1 , nothing in my network uses that IP Did you click this link, which is an example of exposed UPnP vulnerability result? » www.grc.com/su/UPnP-Exposed.htmor did you click this link, then click Services/ShieldsUP!, then run the UPnP test? » www.grc.com/intro.htmThe first link displays example results exactly like you reported. Use the second link. Your Actiontec primary router will not show the vulnerability. DD-WRT on my Asus doesn't either. Also, some broadband system routers using PPPoE present non-routable WAN addresses because they are aggregated further upstream (if I'm using the correct terminology). Does FiOS MDU ONTs using VDSL do this? Maybe. |
|
|
said by birdfeedr:said by guppy_fish:Also that page doesn't work right, it reports my router at IP 10.1.1.1 is responding to UPNP ... lol ( is a non routeable IP and can't be accessed from the WAN ) The details say I'm on a linux server that is at 192.168.0.1 , nothing in my network uses that IP Did you click this link, which is an example of exposed UPnP vulnerability result? » www.grc.com/su/UPnP-Exposed.htmor did you click this link, then click Services/ShieldsUP!, then run the UPnP test? » www.grc.com/intro.htm |
|
guppy_fish Premium Member join:2003-12-09 Palm Harbor, FL |
to smrtech
I click the link in the OP's post Just did the other one, had to find via the menu the other test, to find ... its no issue ... As I said, this is a security forum topic, nothing to do with FIOS |
|
mikev Premium Member join:2002-05-04 Leesburg, VA ·Verizon FiOS (Software) pfSense Panasonic KX-TGP600
|
to birdfeedr
said by birdfeedr:Does FiOS MDU ONTs using VDSL do this? Maybe. Nope. I'm on one... My router has its own public WAN address. Also, I don't use PPPoE... My modem provides an ethernet connection that the router plugs into. The router just uses DHCP to get its IP address, no PPPoE. |
|
Dream KillerGraveyard Shift Premium Member join:2002-08-09 Forest Hills, NY 4 edits |
to smrtech
If the router has the UPNP flaw, just explicitly block UDP Port 1900 and TCP Port 5000 through the firewall. For FiOS MI424wr: Go to Firewall Settings on the top bar then to "Advanced filtering". On the "Inbound" area (the top table), click "Add" to the right of Broadband Connection. It's either Ethernet or Coax, choose whichever your internet is hooked up to. Click the drop down "Protocol", and pick on "User Defined". Add server ports, "protocol" is UDP, "source" is "Any" and destination is single range port 1500. Click apply and repeat the previous step for TCP 5000. Name the service something, I call it "Upnp-flaw", then click apply. It should bring you back to the "Add Advanced Filter" page. Make sure operation is "Drop Packets" then click Apply. Your page should now look like this: UPNP Filter
Just to demonstrate that it works, I enabled logging for the rule and ran the test again at GRC. Here's what I got after two passed tests: It works!
I looked up who that packet belonged to and it did originate from the GRC test: Blocked packet belongs to GRC.
This rule should be added if you use UPnP. It will only drop the packets coming in from the WAN side and will have no effects on the normal use of UPnP.
|
|