dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1922
share rss forum feed

smrtech

join:2009-09-21
Springfield, PA

Common Router Security Flaw - You Want to Check This!

I don't use the M1424WR for my FIOS, but you may want
to check this quick test to see if you are exposing your
network to a common UPnP implementation bug that
is incredibly common.

The bug is that UPnP is unnecessarily exposed on the WAN
side of the router, when it only really makes sense on the
LAN side. Hopefully the Actiontec doesn't have this issue,
but curious as many routers have this flaw. It should never
be available for negotiate on the WAN side, but it is on
many routers. Hope this isn't an issue with the ActionTec,
but if it is on any model, please report! Verizon will want
to know that. Hopefully not...

Here are the details about it:

There is an entire TechGuy Podcast about it would explains
the flaw. But a quick explaination can be found here:

»www.grc.com/su/UPnP-Exposed.htm

Steve Gibson, Security expert wrote this quick test.

Quick Test:

Click ShieldsUp!, then scroll down to "UPnP Exposure Test!"
and then "Proceed" and you want to run the UPnP Exposure Test

»www.grc.com/intro.htm


knarf829

join:2007-06-02
kudos:1

MI-424WR Rev F. w/ Firmware 20.19.8

jcondon

join:2000-05-27
Fishkill, NY

I got the same response on my Actiontech mi424wr Rev F. Assume the same firmware as you but I am not home to check.

There is also the WPS exploit. Which the Actiontech's don't support either (so no worries there).

»www.grc.com/sn/sn-335.txt



Gary A

join:2008-03-02
Odessa, FL
reply to knarf829

UPnP is turned off on my Actiontec, so I got the same "did not respond" result.


guppy_fish
Premium
join:2003-12-09
Lakeland, FL
kudos:1
Reviews:
·Verizon FiOS

1 edit
reply to smrtech

This post belongs in the security forums not FIOS

Also that page doesn't work right, it reports my router at IP 10.1.1.1 is responding to UPNP ... lol ( is a non routeable IP and can't be accessed from the WAN )

The details say I'm on a linux server that is at 192.168.0.1 , nothing in my network uses that IP

Complete waste of a test


knarf829

join:2007-06-02
kudos:1

1 edit

Yeah - what does Steve Gibson know about Internet security anyway?

As this is specifically about FiOS routers, it seems appropriate here. The flaw is router specific.


mikev
Premium
join:2002-05-04
Leesburg, VA
Reviews:
·Callcentric

1 recommendation

reply to smrtech

I ran this test last night with UPnP both off and on... both times it said I was not vulnerable, so it seems that the Rev I router with the latest firmware has UPnP set up properly, with no visibility on the WAN side.

For the record, I leave UPnP off anyway.


knarf829

join:2007-06-02
kudos:1

1 edit

1 recommendation

This has nothing to do with the LAN UPnP setting in the router. It's a bug, not a setting, that opens WAN UPnP to the outside world in some routers.

(EDIT TO CORRECT: Yes, turning LAN UPnP off will apparently disable the WAN bug if you have it - didn't mean to leave the impression it wouldn't)


Zifnab

join:2008-03-30
Pittsburgh, PA
reply to smrtech

Verizon is saying that they've tested 'the majority' of their customer CPE and none of them have this flaw. Not sure what constitutes majority, but I know at least the Actiontecs and Westells are unaffected.


nyrrule27

join:2007-12-06
Howell, NJ
reply to smrtech

"Verizon is aware of a recently-announced vulnerability that may potentially affect certain versions of the Universal Plug-and-Play software on a variety of devices such as Home Routers, Modems, and Gateways that use this feature.

Verizon investigated a wide range of equipment, which covers the vast majority of our FiOS and DSL customers. None of the devices investigated were identified as being vulnerable. Verizon will continue its investigation to ensure all potentially vulnerable devices are identified.

Additional customer information is available to the customer at www.verizon.com/virushelp. Verizon will update this website with additional information as it becomes available."



birdfeedr
Premium,MVM
join:2001-08-11
Warwick, RI
kudos:9
reply to guppy_fish

said by guppy_fish:

Also that page doesn't work right, it reports my router at IP 10.1.1.1 is responding to UPNP ... lol ( is a non routeable IP and can't be accessed from the WAN )
The details say I'm on a linux server that is at 192.168.0.1 , nothing in my network uses that IP

Did you click this link, which is an example of exposed UPnP vulnerability result? »www.grc.com/su/UPnP-Exposed.htm

or did you click this link, then click Services/ShieldsUP!, then run the UPnP test? »www.grc.com/intro.htm

The first link displays example results exactly like you reported. Use the second link. Your Actiontec primary router will not show the vulnerability. DD-WRT on my Asus doesn't either.

Also, some broadband system routers using PPPoE present non-routable WAN addresses because they are aggregated further upstream (if I'm using the correct terminology). Does FiOS MDU ONTs using VDSL do this? Maybe.

knarf829

join:2007-06-02
kudos:1

said by birdfeedr:

said by guppy_fish:

Also that page doesn't work right, it reports my router at IP 10.1.1.1 is responding to UPNP ... lol ( is a non routeable IP and can't be accessed from the WAN )
The details say I'm on a linux server that is at 192.168.0.1 , nothing in my network uses that IP

Did you click this link, which is an example of exposed UPnP vulnerability result? »www.grc.com/su/UPnP-Exposed.htm

or did you click this link, then click Services/ShieldsUP!, then run the UPnP test? »www.grc.com/intro.htm


guppy_fish
Premium
join:2003-12-09
Lakeland, FL
kudos:1
Reviews:
·Verizon FiOS
reply to smrtech

I click the link in the OP's post

Just did the other one, had to find via the menu the other test, to find ... its no issue ...

As I said, this is a security forum topic, nothing to do with FIOS


mikev
Premium
join:2002-05-04
Leesburg, VA
Reviews:
·Callcentric
reply to birdfeedr

said by birdfeedr:

Does FiOS MDU ONTs using VDSL do this? Maybe.

Nope. I'm on one... My router has its own public WAN address. Also, I don't use PPPoE... My modem provides an ethernet connection that the router plugs into. The router just uses DHCP to get its IP address, no PPPoE.


Dream Killer
Graveyard Shift
Premium
join:2002-08-09
Forest Hills, NY
kudos:1

4 edits
reply to smrtech

If the router has the UPNP flaw, just explicitly block UDP Port 1900 and TCP Port 5000 through the firewall.

For FiOS MI424wr:

Go to Firewall Settings on the top bar then to "Advanced filtering". On the "Inbound" area (the top table), click "Add" to the right of Broadband Connection. It's either Ethernet or Coax, choose whichever your internet is hooked up to.

Click the drop down "Protocol", and pick on "User Defined". Add server ports, "protocol" is UDP, "source" is "Any" and destination is single range port 1500. Click apply and repeat the previous step for TCP 5000. Name the service something, I call it "Upnp-flaw", then click apply.

It should bring you back to the "Add Advanced Filter" page. Make sure operation is "Drop Packets" then click Apply. Your page should now look like this:


UPNP Filter


Just to demonstrate that it works, I enabled logging for the rule and ran the test again at GRC. Here's what I got after two passed tests:


It works!


I looked up who that packet belonged to and it did originate from the GRC test:


Blocked packet belongs to GRC.


This rule should be added if you use UPnP. It will only drop the packets coming in from the WAN side and will have no effects on the normal use of UPnP.