D-Link Systems, Inc. Information for VU#922681
Portable SDK for UPnP Devices (libupnp) contains multiple buffer overflows in SSDP
- Vendor Information Help Date Notified: 13 Dec 2012
- Statement Date:
- Date Updated: 31 Jan 2013
Status
Affected
Vendor Statement
January 30, 2013 UPDATE:
At the current time D-Link deploys firmware that has UPnP feature support on our devices. The UPnP features are enabled by software developer kits - Intel, Portable, and miniUPnP.
Recently, it has been discovered that the following UPnP versions may have a security vulnerability that could cause devices to become unstable, impair functionality, or disclose the services the devices offers (i.e. network camera feed):
All Versions of Intel SDK
Version of Portable SDK prior to V. 1.6.18
Version of MiniUPnP SDK prior to V. 1.1
Security and performance is of the utmost importance to D-Link across all product lines, including networking, surveillance, storage and entertainment solutions.
The company is currently assessing the recent findings surrounding UPnP technology and whether any D-Link products are susceptible to vulnerabilities. If any action is needed, D-Link will provide information online at www.dlink.com/upnp
Vendor Information
Customers that want to disable UPnP in the affected products can do so by following these steps:
Current Solution for Affected Products by Disabling UPnP
Step 1: Log into device wed configuration - For routers default URL
http://dlinkrouter.local or http://192.168.0.1
Step 2: Click on the Advanced tab at the top and then click on Advanced Network on the left-hand side.
Step 3: Under the UPnP Settings section, uncheck the disabled UPnP buttons to disable UPnP on the device
Step 4: Click Save Settings at the top to apply the settings.
*** Please note that disabling UPnP might adversely affect features and capabilities of the device and/or supporting applications or devices connecting to these products.
Vendor References
http://www.dlink.com/us/en/technology/upnp
Addendum
There are no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
View Notes By
Report a Vulnerability
Please use the Vulnerability Reporting Form to report a vulnerability. Alternatively, you can send us email. Be sure to read our vulnerability disclosure policy.