Vulnerability Note VU#357851
UPnP requests accepted over router WAN interfaces
Overview
Some Internet router devices incorrectly accept UPnP requests over the WAN interface.
Description
Universal Plug and Play (UPnP) is a networking protocol mostly used for personal computing devices to discover and communicate with each other and the Internet. Some UPnP enabled router devices incorrectly accept UPnP requests over the WAN interface. "AddPortMapping" and "DeletePortMapping" actions are accepted on these devices. These requests can be used to connect to internal hosts behind a NAT firewall and also proxy connections through the device and back out to the Internet. Additional details can be found in Daniel Garcia's whitepaper, "Universal plug and play (UPnP) mapping attacks". [PDF] A list of devices reported to be vulnerable can be found on the UPnP hacks website. |
Impact
A remote unauthenticated attacker may be able to scan internal hosts or proxy Internet traffic through the device. |
Solution
Contact the device's vendor to find out if a firmware update is available to address this vulnerability. |
Workarounds Disable UPnP on the device. |
Vendor Information (Learn More)
| Vendor | Status | Date Notified | Date Updated |
|---|---|---|---|
| Canyon-Tech | Affected | - | 05 Oct 2011 |
| Edimax Computer Company | Affected | - | 05 Oct 2011 |
| Linksys (A division of Cisco Systems) | Affected | - | 03 Oct 2011 |
| Sitecom | Affected | - | 05 Oct 2011 |
| Sweex | Affected | - | 05 Oct 2011 |
| Technicolor | Affected | - | 07 Oct 2011 |
| ZyXEL | Affected | - | 05 Oct 2011 |
CVSS Metrics (Learn More)
| Group | Score | Vector |
|---|---|---|
| Base | 9.4 | AV:N/AC:L/Au:N/C:N/I:C/A:C |
| Temporal | 8.0 | E:POC/RL:W/RC:C |
| Environmental | 8.0 | CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND |
References
- http://toor.do/upnp.html
- http://www.h-online.com/security/news/item/UPnP-enabled-routers-allow-attacks-on-LANs-1329727.html
- http://toor.do/DEFCON-19-Garcia-UPnP-Mapping-WP.pdf
- http://www.upnp-hacks.org/devices.html
Credit
Thanks to Daniel Garcia for reporting this vulnerability.
This document was written by Jared Allar.
Other Information
- CVE IDs: Unknown
- Date Public: 05 Aug 2011
- Date First Published: 05 Oct 2011
- Date Last Updated: 30 Nov 2012
- Severity Metric: 0.85
- Document Revision: 16
Feedback
If you have feedback, comments, or additional information about this vulnerability, please send us email.
View Notes By
Report a Vulnerability
Please use the Vulnerability Reporting Form to report a vulnerability. Alternatively, you can send us email. Be sure to read our vulnerability disclosure policy.