US-CERT, Rapid7 Warn of Massive UPnP Security Flaws
US-CERT is recommending that users and administrators disable UPnP if possible.
The Department of Homeland Security's U.S. Computer Emergency Readiness Team (US-CERT) recently warned that multiple buffer overflow vulnerabilities have been uncovered in libupnp, the open source portable SDK for UPnP (Universal Plug and Play) devices.
"US-CERT recommends that users and administrators review CERT Vulnerability Note VU#922681, disable UPnP (if possible), and restrict access to SSDP (1900/udp) and Simple Object Access Protocol (SOAP) services from untrusted networks such as the Internet," the advisory states.
"UPnP is a protocol standard designed to automate how a computer identifies network devices such as printers, media servers and IP cameras and exchanges data with them," explains TechWeekEurope's Tom Brewster. "Applications use it to access and configure network-connected services. Support for UPnP is enabled by default on Windows and Mac OS X machines, as well as various Linux distributions."
The US-CERT advisory follows the publication of a Rapid7 white paper examining security flaws in UPnP. "The company said it discovered between 40 million and 50 million devices that were vulnerable to attack due to three separate sets of problems that the firm's researchers have identified with the UPnP standard," writes Reuters' Jim Finkle. "The flaws could allow hackers to access confidential files, steal passwords, take full control over PCs as well as remotely access devices such as webcams, printers and security systems, according to Rapid7."
"The researchers found three types of flaws: programming bugs in common UPnP discovery protocol (SSDP) implementations that can be used by an attacker to crash the service and run malicious code; the UPnP control interface, Simple Object Access Protocol (SOAP), exposes private networks to attacks on the outside Internet and can leak sensitive data; and programming flaws in the UPnP HTTP and SOAP implementations, which can also be used to crash the service and run malicious code," writes Dark Reading's Kelly Jackson Higgins.
"The researchers say that over 1,500 vendors and 6,900 products were identified and vulnerable to at least one of these security flaws," writes ZDNet's Charlie Osborne. "Vendors with vulnerable products include Belkin, Linksys and Netgear."