Vulnerability Note VU#361684
Router devices do not implement sufficient UPnP authentication and security
Home routers implementing the UPnP protocol do not sufficiently randomize UUIDs in UPnP control URLs, or implement other UPnP security measures.
The UPnP protocol allows automatic device discovery and interaction with devices on a network. The UPnP protocol was originally designed with the threat model of being on a private network (not available to the WAN) restricted to only authorized users, and therefore does not by default implement authentication. Later efforts developed a UPnP Security standard, but according to UPnP Forum's Device Protection standard documentation, "support and deployment of this standard has been extremely limited", due to cumbersome user experience and lack of industry buy-in of advanced features such as Public Key Infrastructure (PKI).
According to the reporter, poor adoption of the security standard may broadly open up opportunities for an attacker with private network access to guess the UPnP Control URLs for many devices currently on the market. If the guess is correct, the attacker may utilize UPnP to make changes to the home router's configuration such as opening ports and enabling services that allow an attacker further access to the network. A correct guess is likely, due to many manufacturers' use of standardized UPnP Control URL names.
An attacker able to gain access to the private network by enticing a user to visit a specially-crafted web page may be able to silently open ports in a user's firewall or perform other administrative actions on the gateway router.
The CERT/CC is currently unaware of a full solution to this problem. However, the following workarounds may help mitigate risks.
Do not follow unknown links
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|NEC Corporation||Affected||-||26 Oct 2015|
|Check Point Software Technologies||Not Affected||14 Jul 2015||04 Jan 2016|
|ACCESS||Unknown||14 Jul 2015||14 Jul 2015|
|Alcatel-Lucent||Unknown||14 Jul 2015||14 Jul 2015|
|AT&T||Unknown||14 Jul 2015||14 Jul 2015|
|Avaya, Inc.||Unknown||14 Jul 2015||14 Jul 2015|
|Belkin, Inc.||Unknown||14 Jul 2015||14 Jul 2015|
|Cisco||Unknown||14 Jul 2015||14 Jul 2015|
|D-Link Systems, Inc.||Unknown||14 Jul 2015||14 Jul 2015|
|Extreme Networks||Unknown||14 Jul 2015||14 Jul 2015|
|F5 Networks, Inc.||Unknown||14 Jul 2015||14 Jul 2015|
|Force10 Networks||Unknown||14 Jul 2015||14 Jul 2015|
|Unknown||19 Jun 2015||19 Jun 2015|
|Hitachi||Unknown||14 Jul 2015||14 Jul 2015|
|Huawei Technologies||Unknown||14 Jul 2015||14 Jul 2015|
CVSS Metrics (Learn More)
Thanks to Grant Harrelson for reporting this issue to us.
This document was written by Garret Wassermann.
- CVE IDs: Unknown
- Date Public: 31 Aug 2015
- Date First Published: 31 Aug 2015
- Date Last Updated: 04 Jan 2016
- Document Revision: 83
If you have feedback, comments, or additional information about this vulnerability, please send us email.