Rapid7 flags Universal Plug and Play security flaws

News 30 Jan, 2013

Universal Plug and Play open to remote attacks, warns security expert.

Around 50 million network-enabled devices could be open to attack from hackers, thanks to a flaw in the Universal Plug and Play (UPnP) protocol.

This is the view of security researcher HD Moore from IT security firm Rapid7.

UPnP allows devices to find each other and automatically configure themselves to enable data sharing, media streaming and playback services, for example.

The protocol is usually employed within local networks, but the researcher found 80 million unique IPs that responded to UPnP discovery requests from the internet.

Between 40 and 50 million IPs were found to be vulnerable to at least one of three attacks.

The two most commonly used UPnP software libraries both contained remotely exploitable vulnerabilities.

In the case of the Portable UPnP SDK, over 23 million IPs are vulnerable to remote code execution through a single UDP packet, the researcher found.

“All told, we were able to identify more than 6,900 product versions that were vulnerable through UPnP,” said Moore.

“This list encompasses over 1,500 vendors and only took into account devices that exposed the UPnP SOAP service to the internet, a serious vulnerability."

He said the flaws found in the Portable UPnP SDK have been fixed as of version 1.6.18.

Moore warned it will take a long time before each of the application and device vendors incorporate this patch into their products.

“In most cases, network equipment that is ‘no longer shipping’ will not be updated at all, exposing these users to remote compromise until UPnP is disabled or the product is swapped for something new,” said Moore in a blog post.

“The flaws identified in the MiniUPnP software were fixed over two years ago, yet over 330 products are still using older versions.”

Moore urged end users, companies, and ISPs to take immediate action to identify and disable any internet-exposed UPnP endpoints in their environments.

Rapid7 published three lists of products vulnerable to Portable UPnP SDK and MiniUPnP flaws, and expose the UPnP SOAP service to the internet.

The firm has also released a free tool, ScanNow for Universal Plug and Play, that can detect susceptible UPnP services running inside a network.