This morning we released a whitepaper entitled Security Flaws in Universal Plug and Play. This paper is the result of a research project spanning the second half of 2012 that measured the global exposure of UPnP-enabled network devices. The results were shocking to the say the least. Over 80 million unique IPs were identified that responded to UPnP discovery requests from the internet. Somewhere between 40 and 50 million IPs are vulnerable to at least one of three attacks outlined in this paper. The two most commonly used UPnP software libraries both contained remotely exploitable vulnerabilities. In the case of the Portable UPnP SDK, over 23 million IPs are vulnerable to remote code execution through a single UDP packet. All told, we were able to identify over 6,900 product versions that were vulnerable through UPnP. This list encompasses over 1,500 vendors and only took into account devices that exposed the UPnP SOAP service to the internet, a serious vulnerability in of itself.
The vulnerabilities we identified in the Portable UPnP SDK have been fixed as of version 1.6.18 (released today), but it will take a long time before each of the application and device vendors incorporate this patch into their products. In most cases, network equipment that is "no longer shipping" will not be updated at all, exposing these users to remote compromise until UPnP is disabled or the product is swapped for something new. The flaws identified in the MiniUPnP software were fixed over two years ago, yet over 330 products are still using older versions.
For the reasons outlined above, we strongly suggest that end users, companies, and ISPs take immediate action to identify and disable any internet-exposed UPnP endpoints in their environments. UPnP is pervasive - it is enabled by default on many home gateways, nearly all network printers, and devices ranging from IP cameras to network storage servers.
To this end, we have provided ScanNow UPnP, a free tool that can identify exposed UPnP endpoints in your network and flag which of those may remotely exploitable through recently discovered vulnerabilities. A screenshot of this tool in action in the lower right.
If you are accessing the internet from your home network, we now offer an alternative to ScanNow and Metasploit. The Rapid7 UPnP Check is a one-click security scan for broadband and mobile users. If you are concerned about the security of your non-technical friends and family, this is a quick way for them to check their home router for UPnP vulnerabilities. The main difference between this service and ScanNow is that the UPnP Check will run a scan from the internet and can only check the external interface of your router.
Although ScanNow only supports Microsoft Windows, users of Mac OS X and Linux can accomplish the same task using Metasploit. To use the latest module,which includes vulnerability reporting for the recently disclosed vulnerabilities, make sure you have the most current update applied.
Using this module within Metasploit's web interface is simple. Create a new project and access the Modules tab. In the search bar, enter "ssdp_msearch", then select the module named UPnP SSDP M-SEARCH Information Discovery. Enter the network range you want to scan and Metasploit will take care of the rest. The module will run in the background and the Analysis tab will be updated with hosts and vulnerabilities as they are found.
To accomplish the same task using the command-line, first open the Metasploit console.
From the msf prompt, enter the following commands, substituting your own network for RHOSTS
msf > use auxiliary/scanner/upnp/ssdp_msearch
msf auxiliary(ssdp_msearch) > set RHOSTS 192.168.0.0/24
msf auxiliary(ssdp_msearch) > run
Any devices supporting UPnP should appear, with specific CVEs listed for those that have at least one exploitable vulnerability.
[*] 192.168.0.9:1900 SSDP Net-OS 5.xx UPnP/1.0 | http://192.168.0.9:3278/etc/linuxigd/gatedesc.xml
[+] 192.168.0.254:1900 SSDP miniupnpd/1.0 UPnP/1.0 | vulns:2 (CVE-2013-0229, CVE-2013-0230)
If you are interested in hearing more about these issues, I will be hosting a one-hour webcast on February 4th at 3:00pm EST. You can also leave comments on this post.