search menu icon-carat-right cmu-wordmark

CERT Coordination Center


UPnP requests accepted over router WAN interfaces

Vulnerability Note VU#357851

Original Release Date: 2011-10-05 | Last Revised: 2012-11-30

Overview

Some Internet router devices incorrectly accept UPnP requests over the WAN interface.

Description

Universal Plug and Play (UPnP) is a networking protocol mostly used for personal computing devices to discover and communicate with each other and the Internet. Some UPnP enabled router devices incorrectly accept UPnP requests over the WAN interface. "AddPortMapping" and "DeletePortMapping" actions are accepted on these devices. These requests can be used to connect to internal hosts behind a NAT firewall and also proxy connections through the device and back out to the Internet. Additional details can be found in Daniel Garcia's whitepaper, "Universal plug and play (UPnP) mapping attacks". [PDF] A list of devices reported to be vulnerable can be found on the UPnP hacks website.

Impact

A remote unauthenticated attacker may be able to scan internal hosts or proxy Internet traffic through the device.

Solution

Contact the device's vendor to find out if a firmware update is available to address this vulnerability.

Workarounds

Disable UPnP on the device.

Vendor Information

357851
Expand all

Canyon-Tech

Updated:  October 05, 2011

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Edimax Computer Company

Updated:  October 05, 2011

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Linksys (A division of Cisco Systems)

Updated:  October 03, 2011

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sitecom

Updated:  October 05, 2011

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sweex

Updated:  October 05, 2011

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Technicolor

Updated:  October 07, 2011

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Thomson and Speedtouch brands have been assimilated into the Technicolor company and brand.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

ZyXEL

Updated:  October 05, 2011

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base 9.4 AV:N/AC:L/Au:N/C:N/I:C/A:C
Temporal 8.0 E:POC/RL:W/RC:C
Environmental 8 CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND

References

Credit

Thanks to Daniel Garcia for reporting this vulnerability.

This document was written by Jared Allar.

Other Information

CVE IDs: None
Severity Metric: 0.85
Date Public: 2011-08-05
Date First Published: 2011-10-05
Date Last Updated: 2012-11-30 17:58 UTC
Document Revision: 16

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.