UPnP flaws place millions of networks in danger

By on January 29, 2013, 4:00 PM

Several security vulnerabilities found within common UPnP implementations have prompted experts at Rapid 7 to recommend the public disable UPnP entirely. Research spanning several months in 2012 revealed that over 2 percent -- or about 50 million -- of all IPv4 accessible networks suffer from one of just three flaws outlined in the paper (there are eight flaws in total). These vulnerabilities enable hackers to remotely access networks or even execute code. In fact, one remote code execution bug affects 23 million networks and can be triggered by the transmission of a single UDP packet.

UPnP is a zero-config technology that allows software and devices to automagically trigger the opening and forwarding of ports on managed network equipment (e.g. gateway, router, commercial switches). At home, UPnP is particularly useful for game servers, file sharing and P2P applications -- essentially any service that depends on incoming connections but doesn't utilize a mediation server. Without UPnP, users must manually configure port forwarding and IP address assignment via their router and firewall administration utilities.

According to security researchers, 81 million unique IPv4 addresses responded to remote UPnP discovery requests. Of those 81 million, about 20 percent allowed SOAP access -- an unsettling result when you consider this allowance can permit hackers remote access to networked devices behind a router. Possible exploits include stack overflows, remote code execution and unauthorized access to network management interfaces and even the networks themselves.

Portable UPnP, one of the four major UPnP libraries affected, released a patch today which resolves these troublesome exploits. However, it's up to equipment vendors (e.g. D-Link, Linksys etc..) to incorporate such security fixes into their firmware and distribute it to their users. For this reason, many devices that are no longer supported will remain unprotected indefinitely.

Not sure if your equipment is affected by one of the flaws? Rapid7 is offering a free utility to verify the safety of your network's UPnP implementation. There have been numerous complaints about downloading, installing and running this scanner though: your mileage may vary until they get the bugs worked out. If you're unsure or don't want to take any chances, disabling UPnP is probably the way to go.




User Comments: 15

Got something to say? Post a comment
1 person liked this | jobeard jobeard, TS Ambassador, said:

I've never allowed UPnP at the gateway router and

for those on Win/7, the Firewall Advance Settings->Network Discovery (UPnP-in) can be further restricted

by setting the Scope to your Local Lan

(properties-> Scope Tab -> (*) These IP addresses -> add -> local subnet)

UPnP has ALWAYS been an issue.

Staff
Rick Rick, TechSpot Staff, said:

UPnP has ALWAYS been an issue.

For being "automagical", I've always found it cantankerous.

I actually re-visited UPnP in recent years to get WiFi sync working between iTunes and my iPhone... It just cemented my previous experiences. Sometimes it would work... sometimes it wouldn't... I'm sure it works fine for many people with many different routers etc.. but I've officially given up on UPnP.

I'm also someone who takes comfort in being explicit and deliberate when it comes to configuring devices... I leave it disabled and will likely continue to do so for some time.

jobeard jobeard, TS Ambassador, said:

I was speaking of the Security Risk UPnP creates :sigh:

Lionvibez said:

I've never allowed UPnP at the gateway router and

for those on Win/7, the Firewall Advance Settings->Network Discovery (UPnP-in) can be further restricted

by setting the Scope to your Local Lan

(properties-> Scope Tab -> (*) These IP addresses -> add -> local subnet)

UPnP has ALWAYS been an issue.

Great tip will look into this tonight.

Question also say you want to use UPNP so it configures the port for the application you are trying to setup but then disabled after its configured. Would it be ok to use it on a per application basis then turn it off when not needed?

jobeard jobeard, TS Ambassador, said:

That would work, but what a pain to keep track of

There's also the issue of knowing what need to be configured - - sometimes it's more than just one application.

hahahanoobs hahahanoobs said:

I disabled UPnP almost a year ago when I kept getting disconnected from BF3 servers, and saw disabling UPnP as a fix, and it worked!

"Without UPnP, users must manually configure port forwarding and IP address assignment via their router and firewall administration utilities."

Not me. I have zero ports manually configured with UPnP Disabled in my Thompson Modem/router, and torrents and online gaming are trouble free. Hmm, I just looked at settings again... is Automatic Port Mapping in uTorrent a workaround for forwarding ports manually with UPnP disabled?

Darth Shiv Darth Shiv said:

I disabled UPnP almost a year ago when I kept getting disconnected from BF3 servers, and saw disabling UPnP as a fix, and it worked!

"Without UPnP, users must manually configure port forwarding and IP address assignment via their router and firewall administration utilities."

Not me. I have zero ports manually configured with UPnP Disabled in my Thompson Modem/router, and torrents and online gaming are trouble free. Hmm, I just looked at settings again... is Automatic Port Mapping in uTorrent a workaround for forwarding ports manually with UPnP disabled?

Without UPnP or ports forwarded, your torrents would not be able to connect to another person who has the same configuration as you. Referred to as whether you are "connectable" or not.

UPnP is just another technology that should have been aborted at birth. Like ActiveX and WPS. When you consider the security holes and access it gives to unauthorised parties, it is just a bad idea. I've disabled it from day dot on every router that has had the feature because it just stunk.

PinothyJ said:

WTF!

Rapid seven want my full name, phone number, job title and company, amoungst other things, just to use this utility.

What a crock...

Lionvibez said:

I just ran this tool on my network which has UPnP enabled and I got:

Darth Shiv Darth Shiv said:

I just ran this tool on my network which has UPnP enabled and I got:

Just means your UPnP does not have the exploit that the tool checks for. So you aren't susceptible to *this* problem.

One of the main reasons I don't like UPnP is that if malicious code runs on a machine in your network, it can use UPnP to open a port to the outside world and do things like act as a server for botnets and so on. Take commands etc. It's just a *really* dumb idea to give arbitrary software that kind of power.

spydercanopus spydercanopus said:

If you're directly connected to a modem without a router, you should disable it from services.msc

Staff
Per Hansson Per Hansson, TS Server Guru, said:

main reasons I don't like UPnP is that if malicious code runs on a machine in your network, it can use UPnP to open a port to the outside world and do things like act as a server for botnets and so on. Take commands etc. It's just a *really* dumb idea to give arbitrary software that kind of power.

This is the exact reason I've given for disabling UPnP in the last decade...

I always knew a vulnerability like this one we see today would come, I'm actually surprised it took so long!

hahahanoobs hahahanoobs said:

Without UPnP or ports forwarded, your torrents would not be able to connect to another person who has the same configuration as you. Referred to as whether you are "connectable" or not.

Thanks for the info.

havok585 havok585 said:

UPnP should not be disabled if u host servers (ftp access, public game servers, Winamp radio stations ,etc.) on certified high quality modem/routers (Cisco, Linksis (Cisco again lol) D-Link, NetGear and Asus) especially if u are not a power user, no hacker could access your router, unless the firmware is outdated (professional brands have this auto-updated) and u messed with the settings (firewall disabled, ports left open without filtering)...

UPnP service should be disabled if u are a power user and want to control the whole scene.

Darth Shiv Darth Shiv said:

UPnP should not be disabled if u host servers (ftp access, public game servers, Winamp radio stations ,etc.) on certified high quality modem/routers (Cisco, Linksis (Cisco again lol) D-Link, NetGear and Asus) especially if u are not a power user, no hacker could access your router, unless the firmware is outdated (professional brands have this auto-updated) and u messed with the settings (firewall disabled, ports left open without filtering)...

UPnP service should be disabled if u are a power user and want to control the whole scene.

Personally I would highly recommend anyone running dedicated servers to learn port forwarding rather than touch UPnP.

Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.