D-Link Systems, Inc. Information for VU#922681

Portable SDK for UPnP Devices (libupnp) contains multiple buffer overflows in SSDP



Vendor Statement

January 30, 2013 UPDATE:

At the current time D-Link deploys firmware that has UPnP feature support on our devices. The UPnP features are enabled by software developer kits - Intel, Portable, and miniUPnP.

Recently, it has been discovered that the following UPnP versions may have a security vulnerability that could cause devices to become unstable, impair functionality, or disclose the services the devices offers (i.e. network camera feed):

All Versions of Intel SDK
Version of Portable SDK prior to V. 1.6.18
Version of MiniUPnP SDK prior to V. 1.1

Security and performance is of the utmost importance to D-Link across all product lines, including networking, surveillance, storage and entertainment solutions.

The company is currently assessing the recent findings surrounding UPnP technology and whether any D-Link products are susceptible to vulnerabilities. If any action is needed, D-Link will provide information online at www.dlink.com/upnp

Vendor Information

Customers that want to disable UPnP in the affected products can do so by following these steps:

Current Solution for Affected Products by Disabling UPnP

Step 1: Log into device wed configuration - For routers default URL

http://dlinkrouter.local or

Step 2: Click on the Advanced tab at the top and then click on Advanced Network on the left-hand side.
Step 3: Under the UPnP Settings section, uncheck the disabled UPnP buttons to disable UPnP on the device
Step 4: Click Save Settings at the top to apply the settings.

*** Please note that disabling UPnP might adversely affect features and capabilities of the device and/or supporting applications or devices connecting to these products.

Vendor References



There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.