|
|
|
Vulnerability Note VU#347812
UPnP enabled by default in multiple devices
OverviewMultiple vendors ship devices with UPnP enabled by default. By convincing a user to open a malicious URL, an attacker may be able to remotely control or configure UPnP enabled devices.
I. DescriptionUniversal Plug and Play (UPnP) is a collection of protocols maintained and distributed by the UPnP Forum. UPnP is designed to allow network devices to easily connect to each other. UPnP enabled applications may be able to control other UPnP enabled devices such as firewalls or routers automatically and without authentication. Some applications may rely on UPnP to automatically open ports on routers or automatically set other parameters on compatible devices.
Multiple vendors ship devices with UPnP enabled by default. These devices may be configured to only listen for UPnP requests on local networks or wireless interfaces. By using browser plugins that execute in the context of the local system, an attacker may be able to send UPnP messages to local devices without authentication. One researcher has demonstrated an attack vector that uses the Adobe Flash plugin.
Note that to successfully exploit this vulnerability an attacker would need to be able to guess the IP address of an affected device. This IP address may also be enumerated through browser headers or other methods.
II. ImpactBy convincing a victim to click on a link in an HTML document (web page, HTML email), an attacker could issue any command or change any configuration that can be set via UPnP on an affected device. If the affected device is providing routing or firewalling services to clients, an attacker may be able to change firewall and port forwarding rules, modify DNS settings, change wireless encryption keys, or set arbitrary administration passwords.
III. SolutionWe are currently unaware of a practical solution to this problem. Developers using UPnP should see the UPnP forum's vendor statement for more information.
Adobe has issued an update that prevents Flash from being used as an attack vector to exploit this vulnerability.
From the Understanding Flash Player 9 April 2008 Security Update compatibility document:
The April 2008 Flash Player update adds a new security feature to perform a cross-domain policy file check before allowing SWFs to send headers to another domain. This change helps improve web site security by helping to defend against malicious HTTP headers sent by content from other domains. The feature will also help to mitigate a potential UPnP issue (VU#347812) in which routers fail to correctly handle unexpected header values.
Workarounds for administrators
- UPnP should be disabled on devices that are being use to enforce security policies or are connected to untrusted networks, such as the Internet.
- Filtering the IGMP protocol between LAN segments may prevent UPnP devices from connecting to networks that they are not authorized to access.
Workarounds for users
- Disabling UPnP on network devices will mitigate this vulnerability. Note that disabling UPnP will cause any devices or applications that rely on UPnP to fail or operate with reduced functionality.
- Disabling UPnP in desktop operating systems may prevent an attacker from exploiting this vulnerability. Microsoft Windows XP users should see the workarounds section of Microsoft Security Bulletin MS07-019 for instructions on how to disable UPnP.
- Using the Mozilla Firefox NoScript extension to whitelist web sites that can run scripts and access installed plugins may prevent this vulnerability from being exploited.
- Using host-based firewalls to filter ports 1900/udp and 2869/tcp both inbound and outbound may prevent this vulnerability from being exploited by blocking the ports that UPnP uses. Note that the Windows Vista firewall blocks UPnP by default. This workaround may not be able to prevent exploitation of this vulnerability.
Systems Affected
| Vendor | Status | Date Updated |
|---|
| 3com, Inc. | Unknown | 15-Jan-2008 |
| Adobe | Unknown | 9-Apr-2008 |
| Alcatel | Unknown | 15-Jan-2008 |
| Apple Computer, Inc. | Unknown | 15-Jan-2008 |
| AT&T | Unknown | 15-Jan-2008 |
| Avaya, Inc. | Unknown | 15-Jan-2008 |
| Avici Systems, Inc. | Unknown | 15-Jan-2008 |
| Borderware Technologies | Unknown | 15-Jan-2008 |
| Bro | Unknown | 15-Jan-2008 |
| CentOS | Unknown | 15-Jan-2008 |
| Charlotte's Web Networks | Unknown | 15-Jan-2008 |
| Check Point Software Technologies | Unknown | 15-Jan-2008 |
| Cisco Systems, Inc. | Unknown | 15-Jan-2008 |
| Clavister | Unknown | 15-Jan-2008 |
| Computer Associates | Unknown | 15-Jan-2008 |
| Computer Associates eTrust Security Management | Unknown | 15-Jan-2008 |
| Conectiva Inc. | Unknown | 15-Jan-2008 |
| Cray Inc. | Unknown | 15-Jan-2008 |
| D-Link Systems, Inc. | Unknown | 15-Jan-2008 |
| Data Connection, Ltd. | Unknown | 15-Jan-2008 |
| Debian GNU/Linux | Unknown | 15-Jan-2008 |
| EMC Corporation | Unknown | 15-Jan-2008 |
| Engarde Secure Linux | Unknown | 15-Jan-2008 |
| Enterasys Networks | Unknown | 15-Jan-2008 |
| Ericsson | Unknown | 15-Jan-2008 |
| eSoft, Inc. | Unknown | 15-Jan-2008 |
| Extreme Networks | Unknown | 15-Jan-2008 |
| F5 Networks, Inc. | Unknown | 15-Jan-2008 |
| Fedora Project | Unknown | 15-Jan-2008 |
| Force10 Networks, Inc. | Unknown | 15-Jan-2008 |
| Fortinet, Inc. | Unknown | 15-Jan-2008 |
| Foundry Networks, Inc. | Not Vulnerable | 30-Jan-2008 |
| FreeBSD, Inc. | Unknown | 15-Jan-2008 |
| Fujitsu | Unknown | 15-Jan-2008 |
| Gentoo Linux | Unknown | 15-Jan-2008 |
| Global Technology Associates | Unknown | 15-Jan-2008 |
| Hewlett-Packard Company | Unknown | 15-Jan-2008 |
| Hitachi | Unknown | 15-Jan-2008 |
| Hyperchip | Unknown | 15-Jan-2008 |
| IBM Corporation | Unknown | 15-Jan-2008 |
| IBM Corporation (zseries) | Unknown | 15-Jan-2008 |
| IBM eServer | Unknown | 15-Jan-2008 |
| Ingrian Networks, Inc. | Unknown | 15-Jan-2008 |
| Intel Corporation | Unknown | 15-Jan-2008 |
| Internet Security Systems, Inc. | Not Vulnerable | 30-Jan-2008 |
| Intoto | Not Vulnerable | 30-Jan-2008 |
| IP Filter | Unknown | 15-Jan-2008 |
| Juniper Networks, Inc. | Unknown | 15-Jan-2008 |
| Linksys (A division of Cisco Systems) | Unknown | 15-Jan-2008 |
| Lucent Technologies | Unknown | 15-Jan-2008 |
| Luminous Networks | Unknown | 15-Jan-2008 |
| m0n0wall | Unknown | 15-Jan-2008 |
| Mandriva, Inc. | Unknown | 15-Jan-2008 |
| McAfee | Not Vulnerable | 21-Jan-2008 |
| Microsoft Corporation | Unknown | 15-Jan-2008 |
| MontaVista Software, Inc. | Unknown | 15-Jan-2008 |
| Multinet (owned Process Software Corporation) | Unknown | 15-Jan-2008 |
| Multitech, Inc. | Unknown | 15-Jan-2008 |
| NEC Corporation | Vulnerable | 30-Jun-2008 |
| NetBSD | Unknown | 15-Jan-2008 |
| netfilter | Unknown | 15-Jan-2008 |
| Netgear, Inc. | Unknown | 15-Jan-2008 |
| Network Appliance, Inc. | Not Vulnerable | 30-Jan-2008 |
| NextHop Technologies, Inc. | Unknown | 15-Jan-2008 |
| Nokia | Unknown | 15-Jan-2008 |
| Nortel Networks, Inc. | Unknown | 15-Jan-2008 |
| Novell, Inc. | Unknown | 15-Jan-2008 |
| OpenBSD | Unknown | 15-Jan-2008 |
| Openwall GNU/*/Linux | Unknown | 16-Jan-2008 |
| QNX, Software Systems, Inc. | Unknown | 15-Jan-2008 |
| RadWare, Inc. | Unknown | 15-Jan-2008 |
| Red Hat, Inc. | Unknown | 15-Jan-2008 |
| Redback Networks, Inc. | Unknown | 15-Jan-2008 |
| Riverstone Networks, Inc. | Unknown | 15-Jan-2008 |
| Secure Computing Network Security Division | Unknown | 15-Jan-2008 |
| Secureworx, Inc. | Unknown | 15-Jan-2008 |
| Silicon Graphics, Inc. | Unknown | 15-Jan-2008 |
| Slackware Linux Inc. | Unknown | 15-Jan-2008 |
| SmoothWall | Unknown | 15-Jan-2008 |
| Snort | Not Vulnerable | 21-Jan-2008 |
| Sony Corporation | Unknown | 15-Jan-2008 |
| Sourcefire | Not Vulnerable | 21-Jan-2008 |
| Stonesoft | Unknown | 15-Jan-2008 |
| Sun Microsystems, Inc. | Unknown | 15-Jan-2008 |
| SUSE Linux | Unknown | 15-Jan-2008 |
| Symantec, Inc. | Unknown | 15-Jan-2008 |
| The SCO Group | Unknown | 15-Jan-2008 |
| TippingPoint, Technologies, Inc. | Not Vulnerable | 16-Jan-2008 |
| Trustix Secure Linux | Unknown | 15-Jan-2008 |
| Turbolinux | Unknown | 15-Jan-2008 |
| Ubuntu | Unknown | 15-Jan-2008 |
| Unisys | Unknown | 15-Jan-2008 |
| UPnP | Unknown | 22-Jul-2008 |
| Watchguard Technologies, Inc. | Unknown | 15-Jan-2008 |
| Wind River Systems, Inc. | Unknown | 15-Jan-2008 |
| ZyXEL | Unknown | 15-Jan-2008 |
References
http://www.upnp.org/
http://www.upnp.org/download/UPnP_Vendor_Implementation_Guide_Jan2001.htm
http://www.upnp.org/membership/members.asp
http://www.gnucitizen.org/blog/hacking-the-interwebs
http://www.kb.cert.org/vuls/id/347812
http://windowshelp.microsoft.com/Windows/en-US/Help/32f3845b-eda0-4168-be8d-90f07250d8101033.mspx
http://www.microsoft.com/technet/security/Bulletin/MS07-019.mspx
http://www.us-cert.gov/reading_room/securing_browser/
http://noscript.net/features#contentblocking
http://linux-igd.sourceforge.net/
http://www.shorewall.net/UPnP.html
Credit
Information about this vulnerability was released by PDP on the GNUCITIZEN website.
This document was written by Ryan Giobbi.
Other Information
| Date Public | 01/15/2008 |
| Date First Published | 01/15/2008 01:47:51 PM |
| Date Last Updated | 07/22/2008 |
| CERT Advisory | |
| CVE Name | |
| Metric | 18.43 |
| Document Revision | 60 |
If you have feedback, comments, or additional information about this vulnerability, please send us
email.
|
 |
