UPnP advisory - US CERT
29 Jan 2013 - "Multiple vulnerabilities have been announced in libupnp, the open source portable SDK for UPnP devices. Libupnp is employed by hundreds of vendors for UPnP-enabled devices. Information is also available in CERT Vulnerability Note VU#922681*..."
29 Jan 2013 - "... Disable UPnP: Consider disabling UPnP on the device if it is not absolutely necessary..."
Jan 29, 2013 - "... We strongly recommend people to check whether they may be vulnerable, and if so, disable the UPnP protocol* in any affected devices..."
Jan 29, 2013 - "... Over 80 million unique IPs were identified that responded to UPnP discovery requests from the internet. Somewhere between 40 and 50 million IPs are vulnerable to at least one of three attacks.. In most cases, network equipment that is "no longer shipping" will not be updated at all, exposing these users to remote compromise until UPnP is disabled or the product is swapped for something new..."
UPnP Router Security Check: http://upnp-check.rapid7.com/
Severity: High Severity
Jan 30, 2013
Universal Plug and Play provides a significant attack surface and should be protected from network access via robust access control protections on UDP port 1900 and/or hardened configuration.
Analysis: A large-scale scan of the Internet determined that a huge number of systems are vulnerable, and that exploitation in some cases can be performed with one UDP packet. This UDP packet can be spoofed. Actual attack details are not available to the public however we can rest assured that attackers are hard at work. While such bugs may not make their way into typical commodity crimeware exploit kits, targeted and opportunistic attackers with enough intelligence to create exploit code for these vulnerabilities are surely at work. One difficulty is that there are a large number of devices, each that may have their own specific configuration and device quirks that would require some research on the part of the attackers. The potential for a network-wide worm certainly exists. Organizations are encouraged to block uPnP as much as possible and ensure that attack surface is reduced because it is likely that the scanning activity will increase. While UDP port 1900 appears to the main vector, TCP/UDP port 2869 is also involved and should be monitored carefully and restricted as much as possible to reduce attack surface.
30 Jan 2013
Edited by AplusWebMaster, 31 January 2013 - 01:45 PM.