Millions of consumer devices using the ubiquitous Universal Plug and Play (UPnP) protocol, including routers, printers, media servers and webcams, are vulnerable to a cocktail of dangerous security vulnerabilities, pen-testing outfit Rapid7 has discovered.
UPnP’s security raggedness is not exactly news but the scale of the problems discovered by Rapid7 in a five-month research exercise between June and November 2012 should still be a wakeup call.
Designed for use inside home networks to allow easy discovery and communication between devices, the company was still able to find 81 million external IP addresses that responded to UPnP SSDP probes, 17 million of which also exposed communication via Simple Object Access Protocol (SOAP) that can allow web access behind a firewall.
The researchers were able to identify 6,900 product versions from 1,500 vendors that were vulnerable to at least one flaw, equivalent to possibly as many as 50 million vulnerable IPs.
All told, 23.6 million were open to up to eight remote code execution vulnerabilities connected to the Portable UPnP SDK (now the open source libupnp SDK), developed as far back as 2001 by Intel, including to one flaw discovered by Rapid7 during its research.
“For the reasons outlined above, we strongly suggest that end users, companies, and ISPs take immediate action to identify and disable any internet-exposed UPnP endpoints in their environments,” said Rapid7’s HD Moore.
“UPnP is pervasive - it is enabled by default on many home gateways, nearly all network printers, and devices ranging from IP cameras to network storage servers.”
The SDKs could lie at the heart of the problem; only four of them, including Intel’s, accounted for 73 percent of the UPnP systems the firm was able to discover, a risky lack of diversity.
What Rapid7 and Moore have uncovered is a bit of a software mess; millions of devices exposed to attackers, and a large number of those vulnerable to known flaws that will likely never be fixed.
The problem is simply that devices have a short shelf life before they become obsolete; many are simply never updated.
Where updates were impossible “If the UPnP service cannot be disabled and the vendor does not have an update, it may be prudent to segment the device from the rest of the network,” recommended Moore.
Home users should make sure that UPnP was disabled on home and mobile broadband routers.
Windows users could download the free and simple ScanNow tool to check for vulnerable endpoints, he said, while Mac and Linux users could try the more complicated MetaSploit.
As to which products are affected, three lists have been published, starting with products affected by the UPnP SOAP issue, the Intel Portable UPnP (Intel) SDK flaws, and a third SDK with problems, the MiniUPnP.