D-Link Systems, Inc. Information for VU#922681

Portable SDK for UPnP Devices (libupnp) contains multiple buffer overflows in SSDP

Status

Affected

Vendor Statement

January 30, 2013 UPDATE:

At the current time D-Link deploys firmware that has UPnP feature support on our devices. The UPnP features are enabled by software developer kits - Intel, Portable, and miniUPnP.

Recently, it has been discovered that the following UPnP versions may have a security vulnerability that could cause devices to become unstable, impair functionality, or disclose the services the devices offers (i.e. network camera feed):

All Versions of Intel SDK
Version of Portable SDK prior to V. 1.6.18
Version of MiniUPnP SDK prior to V. 1.1

Security and performance is of the utmost importance to D-Link across all product lines, including networking, surveillance, storage and entertainment solutions.

The company is currently assessing the recent findings surrounding UPnP technology and whether any D-Link products are susceptible to vulnerabilities. If any action is needed, D-Link will provide information online at www.dlink.com/upnp

Vendor Information

Customers that want to disable UPnP in the affected products can do so by following these steps:

Current Solution for Affected Products by Disabling UPnP

Step 1: Log into device wed configuration - For routers default URL

http://dlinkrouter.local or http://192.168.0.1

Step 2: Click on the Advanced tab at the top and then click on Advanced Network on the left-hand side.
Step 3: Under the UPnP Settings section, uncheck the disabled UPnP buttons to disable UPnP on the device
Step 4: Click Save Settings at the top to apply the settings.

*** Please note that disabling UPnP might adversely affect features and capabilities of the device and/or supporting applications or devices connecting to these products.

Vendor References

http://www.dlink.com/us/en/technology/upnp

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.