Topic 'Common Router Security Flaw - You Want to Check This!' in forum 'Verizon Fiber Optics' - dslreports.com

Re: Common Router Security Flaw - You Want to Check This!

Wed, 13 Feb 2013 22:43:23 EDT

Dream Killer posted : If the router has the UPNP flaw, just explicitly block UDP Port 1900 and TCP Port 5000 through the firewall.

For FiOS MI424wr:

Go to Firewall Settings on the top bar then to "Advanced filtering". On the "Inbound" area (the top table), click "Add" to the right of Broadband Connection. It's either Ethernet or Coax, choose whichever your internet is hooked up to.

Click the drop down "Protocol", and pick on "User Defined". Add server ports, "protocol" is UDP, "source" is "Any" and destination is single range port 1500. Click apply and repeat the previous step for TCP 5000. Name the service something, I call it "Upnp-flaw", then click apply.

It should bring you back to the "Add Advanced Filter" page. Make sure operation is "Drop Packets" then click Apply. Your page should now look like this:

[att=1]

Just to demonstrate that it works, I enabled logging for the rule and ran the test again at GRC. Here's what I got after two passed tests:

[att=2]

I looked up who that packet belonged to and it did originate from the GRC test:

[att=3]

This rule should be added if you use UPnP. It will only drop the packets coming in from the WAN side and will have no effects on the normal use of UPnP.

UPNP Filter
It works!
Blocked packet belongs to GRC.

Re: Common Router Security Flaw - You Want to Check This!

Wed, 13 Feb 2013 22:33:44 EDT

mikev posted :

said by birdfeedr:

Does FiOS MDU ONTs using VDSL do this? Maybe.

Nope. I'm on one... My router has its own public WAN address. Also, I don't use PPPoE... My modem provides an ethernet connection that the router plugs into. The router just uses DHCP to get its IP address, no PPPoE.

Re: Common Router Security Flaw - You Want to Check This!

Wed, 13 Feb 2013 21:59:35 EDT

guppy_fish posted : I click the link in the OP's post :uhh:

Just did the other one, had to find via the menu the other test, to find ... its no issue ...

As I said, this is a security forum topic, nothing to do with FIOS

Re: Common Router Security Flaw - You Want to Check This!

Wed, 13 Feb 2013 21:48:52 EDT

knarf829 posted :

said by birdfeedr:

said by guppy_fish:

Also that page doesn't work right, it reports my router at IP 10.1.1.1 is responding to UPNP ... lol ( is a non routeable IP and can't be accessed from the WAN )
The details say I'm on a linux server that is at 192.168.0.1 , nothing in my network uses that IP

;)

Re: Common Router Security Flaw - You Want to Check This!

Wed, 13 Feb 2013 21:09:12 EDT

birdfeedr posted :

said by guppy_fish:

Did you click this link, which is an example of exposed UPnP vulnerability result? »www.grc.com/su/UPnP-Exposed.htm

or did you click this link, then click Services/ShieldsUP!, then run the UPnP test? »www.grc.com/intro.htm

The first link displays example results exactly like you reported. Use the second link. Your Actiontec primary router will not show the vulnerability. DD-WRT on my Asus doesn't either.

Also, some broadband system routers using PPPoE present non-routable WAN addresses because they are aggregated further upstream (if I'm using the correct terminology). Does FiOS MDU ONTs using VDSL do this? Maybe.

Re: Common Router Security Flaw - You Want to Check This!

Wed, 13 Feb 2013 18:57:21 EDT

nyrrule27 posted : "Verizon is aware of a recently-announced vulnerability that may potentially affect certain versions of the Universal Plug-and-Play software on a variety of devices such as Home Routers, Modems, and Gateways that use this feature.

Verizon investigated a wide range of equipment, which covers the vast majority of our FiOS and DSL customers. None of the devices investigated were identified as being vulnerable. Verizon will continue its investigation to ensure all potentially vulnerable devices are identified.

Additional customer information is available to the customer at www.verizon.com/virushelp. Verizon will update this website with additional information as it becomes available."

Re: Common Router Security Flaw - You Want to Check This!

Wed, 13 Feb 2013 18:21:16 EDT

Zifnab posted : Verizon is saying that they've tested 'the majority' of their customer CPE and none of them have this flaw. Not sure what constitutes majority, but I know at least the Actiontecs and Westells are unaffected.

Re: Common Router Security Flaw - You Want to Check This!

Wed, 13 Feb 2013 13:08:25 EDT

knarf829 posted : This has nothing to do with the LAN UPnP setting in the router. It's a bug, not a setting, that opens WAN UPnP to the outside world in some routers.

(EDIT TO CORRECT: Yes, turning LAN UPnP off will apparently disable the WAN bug if you have it - didn't mean to leave the impression it wouldn't)

Re: Common Router Security Flaw - You Want to Check This!

Wed, 13 Feb 2013 13:04:40 EDT

mikev posted : I ran this test last night with UPnP both off and on... both times it said I was not vulnerable, so it seems that the Rev I router with the latest firmware has UPnP set up properly, with no visibility on the WAN side.

For the record, I leave UPnP off anyway.

Re: Common Router Security Flaw - You Want to Check This!

Wed, 13 Feb 2013 13:04:37 EDT

knarf829 posted : Yeah - what does Steve Gibson know about Internet security anyway?

As this is specifically about FiOS routers, it seems appropriate here. The flaw is router specific.

Re: Common Router Security Flaw - You Want to Check This!

Wed, 13 Feb 2013 12:54:59 EDT

guppy_fish posted : This post belongs in the security forums not FIOS

Also that page doesn't work right, it reports my router at IP 10.1.1.1 is responding to UPNP ... lol ( is a non routeable IP and can't be accessed from the WAN )

The details say I'm on a linux server that is at 192.168.0.1 , nothing in my network uses that IP

Complete waste of a test

Re: Common Router Security Flaw - You Want to Check This!

Wed, 13 Feb 2013 12:53:23 EDT

Gary A posted : UPnP is turned off on my Actiontec, so I got the same "did not respond" result. :)

Re: Common Router Security Flaw - You Want to Check This!

Tue, 12 Feb 2013 11:49:49 EDT

jcondon8 posted : I got the same response on my Actiontech mi424wr Rev F. Assume the same firmware as you but I am not home to check.

There is also the WPS exploit. Which the Actiontech's don't support either (so no worries there).

»www.grc.com/sn/sn-335.txt

Re: Common Router Security Flaw - You Want to Check This!

Tue, 12 Feb 2013 11:23:46 EDT

knarf829 posted : MI-424WR Rev F. w/ Firmware 20.19.8

Common Router Security Flaw - You Want to Check This!

Tue, 12 Feb 2013 11:14:43 EDT

smrtech posted : I don't use the M1424WR for my FIOS, but you may want
to check this quick test to see if you are exposing your
network to a common UPnP implementation bug that
is incredibly common.

The bug is that UPnP is unnecessarily exposed on the WAN
side of the router, when it only really makes sense on the
LAN side. Hopefully the Actiontec doesn't have this issue,
but curious as many routers have this flaw. It should never
be available for negotiate on the WAN side, but it is on
many routers. Hope this isn't an issue with the ActionTec,
but if it is on any model, please report! Verizon will want
to know that. Hopefully not...

Here are the details about it:

There is an entire TechGuy Podcast about it would explains
the flaw. But a quick explaination can be found here:

»www.grc.com/su/UPnP-Exposed.htm

Steve Gibson, Security expert wrote this quick test.

Quick Test:

Click ShieldsUp!, then scroll down to "UPnP Exposure Test!"
and then "Proceed" and you want to run the UPnP Exposure Test

»www.grc.com/intro.htm