Flaws in UPnP libraries can be exploited on millions of networks, Rapid7 warns
UPnP is a protocol standard designed to automate how a computer identifies network devices such as printers, media servers and IP cameras and exchanges data with them. Applications use it to access and configure network-connected services. Support for UPnP is enabled by default on Windows and Mac OS X machines, as well as various Linux distributions.
UPnP is normally used within local networks, and it’s unwise to expose UPnP information to the wider Internet. But tens of millions of implementations are exposed, according to the latest findings.
UPnP going down and down?
Security firm Rapid7 said it found 80 million public IP addresses which responded to UPnP requests, effectively meaning that those connected devices are open to control or manipulation across the Internet to some degree. The firm described three attack vectors that could exploit problems in UPnP, which is enabled by default on many home gateways, nearly all network printers and numerous other devices, including network storage servers.
Between 40 and 50 million IPs could be in danger, showing signs of responding to these attack vectors. Twenty-three million of these were vulnerable to a single remote code execution flaw, for which an attacker would have to send a specially crafted UDP data packet. Products of major networking vendors, including Netgear and Cisco’s Linksys division (currently being sold to Belkin) were at risk, Rapid7 said. But those companies have not yet responded to a request for comment.
Over 1500 vendors and 6900 products are thought to be vulnerable to at least one of the three attack methods.
The three attacks Rapid7 looked at included one exploiting programming flaws in common UPnP Simple Service Discovery Protocol (SSDP) implementations to crash systems and execute arbitrary code. Another took advantage of exposed UPnP control interfaces, known as SOAPs. The final attack vector saw programming flaws in the UPnP HTTP and SOAP, or Simple Object Access Protocol, implementations exploited.
Just as a quick refresher, the SSDP side of UPnP advertises available services and responds to discovery requests. It is also used to identify the location of the UPnP HTTP service and service description file – an XML document that provides information on devices and supported services – for a given system.
The HTTP service also hosts the SOAP interface. SOAP lets other systems on a network call a defined set of functions, meaning that if exposed, it can leak valuable information to hackers. All tied together, they simplify connections between different networked gear.
Rapid7 spent half a year looking to quantify how many UPnP-enabled systems exposed the SOAP and SSDP services to the wider Internet, whilst hunting for weaknesses in the most commonly-used UPnP implementations.
Over 81 million unique IPs exposed SSDP, whilst 17 million were believed to have exposed SOAP. By exposing such information to hackers, vendors risk exposing data and details that could let attackers exploit flaws in software libraries. And those flaws certainly exist in many UPnP implementations, Rapid7 found.
Big problems lay in the software development kits (SDKs) and libraries used by UPnP implementations, the security firm said. In one of those SDKs, known as Portable SDK, there were eight remotely exploitable flaws in the SSDP parser, including buffer overflow vulnerabilities, two of which affected all versions.
Whilst many of the flaws have been fixed in library updates, many systems use old versions. That’s why many millions of devices are at risk.
Rapid7 recommended ISPs review any equipment to check UPnP is not exposed to searches. It suggested disabling UPnP on those systems running critical data. But it is not expecting much from vendors,
“Unfortunately, the realities of the consumer electronics industry will leave most systems vulnerable for the indefinite future,” Rapid7 wrote in its whitepaper.
“The vulnerabilities we identified in the Portable UPnP SDK have been fixed as of version 1.6.18 (released today), but it will take a long time before each of the application and device vendors incorporate this patch into their products,” added HD Moore, CEO of Rapid7.
“In most cases, network equipment that is ‘no longer shipping’ will not be updated at all, exposing these users to remote compromise until UPnP is disabled or the product is swapped for something new.”
Think you know security? Test yourself with our quiz!