search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Router devices do not implement sufficient UPnP authentication and security

Vulnerability Note VU#361684

Original Release Date: 2015-08-31 | Last Revised: 2016-01-04

Overview

Home routers implementing the UPnP protocol do not sufficiently randomize UUIDs in UPnP control URLs, or implement other UPnP security measures.

Description

The UPnP protocol allows automatic device discovery and interaction with devices on a network. The UPnP protocol was originally designed with the threat model of being on a private network (not available to the WAN) restricted to only authorized users, and therefore does not by default implement authentication. Later efforts developed a UPnP Security standard, but according to UPnP Forum's Device Protection standard documentation, "support and deployment of this standard has been extremely limited", due to cumbersome user experience and lack of industry buy-in of advanced features such as Public Key Infrastructure (PKI).

According to the reporter, poor adoption of the security standard may broadly open up opportunities for an attacker with private network access to guess the UPnP Control URLs for many devices currently on the market. If the guess is correct, the attacker may utilize UPnP to make changes to the home router's configuration such as opening ports and enabling services that allow an attacker further access to the network. A correct guess is likely, due to many manufacturers' use of standardized UPnP Control URL names.

Some vendors have reported that their devices randomize the UUID in the Control URL, making guessing the correct URL much more difficult, but many vendors have not taken this action. For more information, see the Vendor Information section below. It is currently unclear how widespread the deployment of UPnP security standards is in these devices.

One possible method of gaining enough access to the private network to utilize UPnP is through a DNS Rebinding attack, which is well-known in the security community. Previously, it has been reported that Flash may be utilized to gain control of UPnP.

The reporter has more information on this issue at http://www.filet-o-firewall.com.

Impact

An attacker able to gain access to the private network by enticing a user to visit a specially-crafted web page may be able to silently open ports in a user's firewall or perform other administrative actions on the gateway router.

Solution

The CERT/CC is currently unaware of a full solution to this problem. However, the following workarounds may help mitigate risks.

Do not follow unknown links

Exercise caution when following links to URLs you do not recognize.

Disable UPnP

Consider disabling UPnP services on your home network. Some users may require UPnP services on their network; if so, users must exercise judgment and weigh risks versus rewards of operating such a network. When purchasing networking equipment, consider devices that have implemented the latest UPnP standards and security.

Furthermore, if you are a developer or manufacturer of devices using UPnP, consider the following:

Randomize the UUID in the control URL

Randomizing appropriate UPnP UUIDs and URLs may help mitigate brute force attacks, but likely is not a full solution.

Implement latest UPnP standards

Consider implementing the latest UPnP standards such as Device Protection in order to provide better security to devices utilizing UPnP.

Vendor Information

361684
 
Affected   Unknown   Unaffected

NEC Corporation

Updated:  October 26, 2015

Status

  Affected

Vendor Statement

We provide information on this issue at the following URL <http://jpn.nec.com/security-info/secinfo/nv15-018.html>(only in Japanese)

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

Check Point Software Technologies

Notified:  July 14, 2015 Updated:  January 04, 2016

Statement Date:   January 04, 2016

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

ACCESS

Notified:  July 14, 2015 Updated:  July 14, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor References

    AT&T

    Notified:  July 14, 2015 Updated:  July 14, 2015

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor References

      Alcatel-Lucent

      Notified:  July 14, 2015 Updated:  July 14, 2015

      Status

        Unknown

      Vendor Statement

      No statement is currently available from the vendor regarding this vulnerability.

      Vendor References

        Avaya, Inc.

        Notified:  July 14, 2015 Updated:  July 14, 2015

        Status

          Unknown

        Vendor Statement

        No statement is currently available from the vendor regarding this vulnerability.

        Vendor References

          Belkin, Inc.

          Notified:  July 14, 2015 Updated:  July 14, 2015

          Status

            Unknown

          Vendor Statement

          No statement is currently available from the vendor regarding this vulnerability.

          Vendor References

            Cisco

            Notified:  July 14, 2015 Updated:  July 14, 2015

            Status

              Unknown

            Vendor Statement

            No statement is currently available from the vendor regarding this vulnerability.

            Vendor References

              D-Link Systems, Inc.

              Notified:  July 14, 2015 Updated:  July 14, 2015

              Status

                Unknown

              Vendor Statement

              No statement is currently available from the vendor regarding this vulnerability.

              Vendor References

                Extreme Networks

                Notified:  July 14, 2015 Updated:  July 14, 2015

                Status

                  Unknown

                Vendor Statement

                No statement is currently available from the vendor regarding this vulnerability.

                Vendor References

                  F5 Networks, Inc.

                  Notified:  July 14, 2015 Updated:  July 14, 2015

                  Status

                    Unknown

                  Vendor Statement

                  No statement is currently available from the vendor regarding this vulnerability.

                  Vendor References

                    Force10 Networks

                    Notified:  July 14, 2015 Updated:  July 14, 2015

                    Status

                      Unknown

                    Vendor Statement

                    No statement is currently available from the vendor regarding this vulnerability.

                    Vendor References

                      Google

                      Notified:  June 19, 2015 Updated:  June 19, 2015

                      Status

                        Unknown

                      Vendor Statement

                      No statement is currently available from the vendor regarding this vulnerability.

                      Vendor References

                        Hitachi

                        Notified:  July 14, 2015 Updated:  July 14, 2015

                        Status

                          Unknown

                        Vendor Statement

                        No statement is currently available from the vendor regarding this vulnerability.

                        Vendor References

                          Huawei Technologies

                          Notified:  July 14, 2015 Updated:  July 14, 2015

                          Status

                            Unknown

                          Vendor Statement

                          No statement is currently available from the vendor regarding this vulnerability.

                          Vendor References

                            IBM Corporation

                            Notified:  July 14, 2015 Updated:  July 14, 2015

                            Status

                              Unknown

                            Vendor Statement

                            No statement is currently available from the vendor regarding this vulnerability.

                            Vendor References

                              Intel Corporation

                              Notified:  July 14, 2015 Updated:  July 14, 2015

                              Status

                                Unknown

                              Vendor Statement

                              No statement is currently available from the vendor regarding this vulnerability.

                              Vendor References

                                Juniper Networks

                                Notified:  July 14, 2015 Updated:  July 14, 2015

                                Status

                                  Unknown

                                Vendor Statement

                                No statement is currently available from the vendor regarding this vulnerability.

                                Vendor References

                                  Mozilla

                                  Notified:  June 19, 2015 Updated:  June 19, 2015

                                  Status

                                    Unknown

                                  Vendor Statement

                                  No statement is currently available from the vendor regarding this vulnerability.

                                  Vendor References

                                    Nokia

                                    Notified:  July 14, 2015 Updated:  July 14, 2015

                                    Status

                                      Unknown

                                    Vendor Statement

                                    No statement is currently available from the vendor regarding this vulnerability.

                                    Vendor References

                                      Peplink

                                      Notified:  July 14, 2015 Updated:  July 14, 2015

                                      Status

                                        Unknown

                                      Vendor Statement

                                      No statement is currently available from the vendor regarding this vulnerability.

                                      Vendor References

                                        SafeNet

                                        Notified:  July 14, 2015 Updated:  July 14, 2015

                                        Status

                                          Unknown

                                        Vendor Statement

                                        No statement is currently available from the vendor regarding this vulnerability.

                                        Vendor References

                                          Wind River

                                          Notified:  July 20, 2015 Updated:  July 20, 2015

                                          Status

                                            Unknown

                                          Vendor Statement

                                          No statement is currently available from the vendor regarding this vulnerability.

                                          Vendor References

                                            ZyXEL

                                            Notified:  July 14, 2015 Updated:  July 14, 2015

                                            Status

                                              Unknown

                                            Vendor Statement

                                            No statement is currently available from the vendor regarding this vulnerability.

                                            Vendor References

                                              View all 24 vendors View less vendors


                                              CVSS Metrics

                                              Group Score Vector
                                              Base 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N
                                              Temporal 3.7 E:POC/RL:U/RC:UR
                                              Environmental 3.7 CDP:ND/TD:H/CR:ND/IR:ND/AR:ND

                                              References

                                              Acknowledgements

                                              Thanks to Grant Harrelson for reporting this issue to us.

                                              This document was written by Garret Wassermann.

                                              Other Information

                                              CVE IDs: None
                                              Date Public: 2015-08-31
                                              Date First Published: 2015-08-31
                                              Date Last Updated: 2016-01-04 15:56 UTC
                                              Document Revision: 83

                                              Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.