Rapid7 and the Metasploit team have been exceedingly busy and released a whitepaper “Security Flaws in Universal Plug and Play” today that might blow your mind. You know how easy Universal Plug and Play (UPnP) makes it to setup new devices, and you likely have several such as printers, media players, routers and smart TVs that are already hackable, but Rapid7 advised, “Unplug. Don’t play. We strongly recommend people to check whether they may be vulnerable, and if so, disable the UPnP protocol in any affected devices." F-Secure called it, “Universal plug and pray.” US-CERT released a UPnP Security Advisory.
Rapid7's Security Chief HD Moore wrote:
This whitepaper details research conducted by Rapid7, which reveals that around 40-50 million network-enabled devices are at risk due to vulnerabilities found in the Universal Plug and Play (UPnP) protocol. UPnP enables devices such as routers, printers, network-attached storage (NAS), media players and smart TVs to communicate with each other. The paper investigates how three groups of security flaws relating to the UPnP protocol are exposing millions of users to attacks that could lead to a remote compromise of the vulnerable device.
Five and a half months of scanning later, "Rapid7 identified over 81 million unique IP addresses that responded to a standard UPnP discovery request." The Security Flaws in Universal Plug and Play whitepaper [PDF download] explained, “Over 1,500 vendors and 6,900 products were identified that are vulnerable to at least one of the security flaws outlined in this paper. Over 23 million systems were vulnerable to a single remote code execution flaw that was discovered during the course of this research.” Moore wrote, “The results were shocking to the say the least. Somewhere between 40 and 50 million IPs are vulnerable to at least one of three attacks outlined in this paper.”
Luckily for us, Rapid7 put together this handy chart of Security Flaws in Universal Plug and Play highlights:
As Moore pointed out, the Portable UPnP SDK was fixed today, but it will take a long time for the fix to trickle down through all the vendors. “In most cases, network equipment that is 'no longer shipping' will not be updated at all, exposing these users to remote compromise until UPnP is disabled or the product is swapped for something new. The flaws identified in the MiniUPnP software were fixed over two years ago, yet over 330 products are still using older versions.
According to the CERT Program of the Carnegie Mellon University (CMU) Software Engineering Institute, solutions include: “Apply an Update -- libupnp 1.6.18 has been released to address these vulnerabilities. Restrict Access -- Deploy firewall rules to block untrusted hosts from being able to access port 1900/udp. Disable UPnP -- Consider disabling UPnP on the device if it is not absolutely necessary.”
CERT attempted to notify more than 200 vendors identified by Rapid7. The huge lists of vulnerable devices include products from manufacturers including Belkin, Cisco, D-Link Systems, Fujitsu, Huawei, Linksys, Logitech, Motorola, NEC, Netgear, Texas Instruments, TP-Link, Siemens and Sony Corporation to name but a few of the vendors that responded to CERT.
As Lucian Constantin reported, “Rapid7 published three separate lists of products vulnerable to Portable UPnP SDK flaws, MiniUPnP flaws, and which expose the UPnP SOAP service to the Internet.” There is also “a free tool called ScanNow for Universal Plug and Play, as well as a module for the Metasploit penetration testing framework, that can be used to detect vulnerable UPnP services running inside a network.”
One little tidbit from Rapid7 commenter naughtbelieving states:
Um, first Chrome flags it as malicious. Then Security Essentials spends a *very* long time scanning the exe before allowing it to run. And then the tool says it requires Java to run! (Isn't that kinda like requiring you to bring a bottle of wine to an AA meeting??)
Moore said, “You can install the JRE or JDK without exposing the Java plugin via your web browser.” He later advised, “So long as you disable UPnP on the router itself you should be protected from external attacks.”
From a slightly different “security” angle, McAfee's Chief Architect Dave Marcus tweeted, “SHODAN shows 12+ million UPnP entries.” He then added, a potential upside to the Universal Plug and Play situation: