Emerging UPnP Vulnerabilities

By Tom Chmielarski, Practice Lead – RSA Advanced Cyber Defense Practice (Americas)

Several vulnerabilities with multiple implementations of Universal Plug and Plan (UPnP) were announced January 29 by security firm Rapid7. These vulnerabilities can result in remote code execution and affect “between 40 and 50 million” internet connected devices (according to Rapid7). Said another way, this affects products made by “over 1,500 vendors and 6,900 products”. The Rapid7 announcement, available here, discusses their findings in depth.

UPnP is a protocol which allows networked devices to automatically configure themselves and the network to facilitate easy setup and network communication. Skype, for example, will use UPnP to automatically configure a router to allow the correct ports to be open.  By leveraging the UPnP SOAP service an attacker could, for example, modify firewall settings to let an attacker into the network or stop all traffic.  Internet-facing UPnP is usually not needed though, so the discovery of UPnP may indicate a larger configuration management issue.  I can’t help but think of the DNSChanger worm, which used default administrative credentials on home routers, to change router settings to alter DNS results for clients behind it.

The impact of these vulnerabilities is particularly wide spread because many common vendors use just a few different UPnP development libraries.  Rapid7 found vulnerabilities in the four most common UPnP libraries. The vulnerabilities are all separate and independent; they are all just vulnerabilities in the same technology announced at the same time. The vulnerability could allow for exploitation of the networked device and, in the case of a router or firewall, potentially subsequent attack of the systems behind it.

Because many networked devices – ranging from routers to webcams to TVs – use UPnP, usually enabled by default, the scope of this problem is staggering. Since many of these devices are not updated very often, by either the vendor and by the device user, this problem is likely to be with us for a while. Additionally, the UPnP development kits have now been patched but vendors using those kits still need to implement the new code, make any required changes, test the patches, and roll out updates. Cisco, as one vendor using an affected UPnP development library, has a security announcement stating:

“Cisco is currently evaluating products for possible exposure to these UPnP vulnerabilities. Products will only be listed in the “Vulnerable Products” or “Products Confirmed Not Vulnerable” sections of this advisory when a final determination about product exposure is made. Products that are not listed in either of these two sections are still being evaluated.”

US-CERT lists affected vendors as Cisco, Fujitsu, Huawei, Linksys, NEC, Siemens, and Sony. Those companies represent a large number of devices and are only a very small part of the “1,600” vendors cited by Rapid7.

Tom Chmielarski is Practice Lead within the RSA Advanced Cyber Defense Practice serving the Americas. Tom has over 15 years of IT experience, primarily in security, spanning operations, incident response, malware, forensics, data analysis, and strategy. He has experience in the Defense, Industrial Controls, Electronics manufacturing sectors. He is a subject matter expert in incident response, security monitoring, forensics, malware, and data analysis.