Vulnerability Note VU#347812
UPnP enabled by default in multiple devices
Multiple vendors ship devices with UPnP enabled by default. By convincing a user to open a malicious URL, an attacker may be able to remotely control or configure UPnP enabled devices.
Universal Plug and Play (UPnP) is a collection of protocols maintained and distributed by the UPnP Forum. UPnP is designed to allow network devices to easily connect to each other. UPnP enabled applications may be able to control other UPnP enabled devices such as firewalls or routers automatically and without authentication. Some applications may rely on UPnP to automatically open ports on routers or automatically set other parameters on compatible devices.
Multiple vendors ship devices with UPnP enabled by default. These devices may be configured to only listen for UPnP requests on local networks or wireless interfaces. By using browser plugins that execute in the context of the local system, an attacker may be able to send UPnP messages to local devices without authentication. One researcher has demonstrated an attack vector that uses the Adobe Flash plugin.
By convincing a victim to click on a link in an HTML document (web page, HTML email), an attacker could issue any command or change any configuration that can be set via UPnP on an affected device. If the affected device is providing routing or firewalling services to clients, an attacker may be able to change firewall and port forwarding rules, modify DNS settings, change wireless encryption keys, or set arbitrary administration passwords.
We are currently unaware of a practical solution to this problem. Developers using UPnP should see the UPnP forum's vendor statement for more information.
Adobe has issued an update that prevents Flash from being used as an attack vector to exploit this vulnerability.
Workarounds for administrators
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|NEC Corporation||Affected||15 Jan 2008||30 Jun 2008|
|Foundry Networks, Inc.||Not Affected||15 Jan 2008||30 Jan 2008|
|Internet Security Systems, Inc.||Not Affected||15 Jan 2008||30 Jan 2008|
|Intoto||Not Affected||15 Jan 2008||30 Jan 2008|
|McAfee||Not Affected||15 Jan 2008||21 Jan 2008|
|Network Appliance, Inc.||Not Affected||15 Jan 2008||30 Jan 2008|
|Snort||Not Affected||15 Jan 2008||21 Jan 2008|
|Sourcefire||Not Affected||15 Jan 2008||21 Jan 2008|
|TippingPoint, Technologies, Inc.||Not Affected||15 Jan 2008||16 Jan 2008|
|3com, Inc.||Unknown||15 Jan 2008||15 Jan 2008|
|Adobe||Unknown||09 Apr 2008||09 Apr 2008|
|Alcatel||Unknown||15 Jan 2008||15 Jan 2008|
|Apple Computer, Inc.||Unknown||15 Jan 2008||15 Jan 2008|
|AT&T||Unknown||15 Jan 2008||15 Jan 2008|
|Avaya, Inc.||Unknown||15 Jan 2008||15 Jan 2008|
CVSS Metrics (Learn More)
Information about this vulnerability was released by PDP on the GNUCITIZEN website.
This document was written by Ryan Giobbi.
- CVE IDs: Unknown
- Date Public: 15 Jan 2008
- Date First Published: 15 Jan 2008
- Date Last Updated: 22 Jul 2008
- Severity Metric: 18.43
- Document Revision: 60
If you have feedback, comments, or additional information about this vulnerability, please send us email.