Vulnerability Note VU#971705

Multiple D-Link routers fail to properly process UPnP M-SEARCH requests

Universal Plug and Play (UPnP) is a system that allows network devices to operate together.

M-SEARCH
When a device adds itself to a UPnP network, it may send a broadcast request to get information about other UPnP devices already on the network. This broadcast message is called an M-SEARCH directive.

The problem
Sending an oversized M-SEARCH request to an affected D-Link router's LAN or WLAN interface may result in a buffer overflow. The following router models are reported to be affected:

• DI-524 Rev A, C, D
• DI-604 Rev E
• DI-624 Rev C, D
• DI-784 Rev A
• EBR-2310 Rev A
• WBR-1310 Rev A

Upgrade
D-Link has issued firmware upgrades to address this vulnerability. See the D-Link support site for information on obtaining the latest version of firmware.

Disable UPnP
If the UPnP service is not needed, disabling it may reduce exposure to this vulnerability. Refer to D-Link's support site for instructions on how to disable UPnP on a particular model of router. The references section of this document has direct links to instructions on how to disable UPnP on some of the affected routers.

Restrict access
Restrict access to the LAN and WLAN interface to trusted hosts only. Preventing network traffic on port 1900/udp from reaching the LAN or WLAN interface may limit exposure to this vulnerability.

Systems Affected

http://secunia.com/advisories/21081/
http://www.eeye.com/html/research/advisories/AD20060714.html
http://support.dlink.com/products/view.asp?productid=DI%2D524
http://support.dlink.com/

Credit

Barnaby Jack of eEye Digital Security reported this vulnerability.

This document was written by Ryan Giobbi.

Other Information

If you have feedback, comments, or additional information about this vulnerability, please send us email.