Slashdot Mirror
50 Million Potentially Vulnerable To UPnP Flaws
Gunkerty Jeb writes "In a project that found more than 80 million unique IP addresses responding to Universal Plug and Play (UPnP) discovery requests, researchers at Rapid7 were shocked to find that somewhere between 40 and 50 million of those are vulnerable to at least one of three known attacks. A Rapid7 white paper enumerated UPnP-exposed systems connected to the Internet and identified the number of vulnerabilities present in common configurations. Researchers found that more than 6,900 product models produced by 1,500 different vendors contained at least one known vulnerability, with 23 million systems housing the same remote code execution flaw. 'This research was primarily focused on vulnerabilities in the SSDP processor across embedded devices,' Rapid7's CSO HD Moore said. 'The general process was to identify what was out there, make a list of the most commonly used software stacks, and then audit those stacks for vulnerabilities. The results were much worse than we anticipated, with the most commonly used software stack (libupnp) also being the most vulnerable.'"
or did they actually do active spidering of (b):
1 -- a representative sample of IP addresses in a particular space 2 -- a wide ranging probe of many many IP addresses all around the world?.
If they did (a) above, then sure it makes sense. If they did (b1) or (b2) above, especially if they didn't get the permission of every IP address which they probed/tested, then aren't they doing illegal penetration testing, even if all they are doing is checking for the existence of a responding port? I mean one or two or an accidental port knock would be like knocking IRL on a random stranger's door, but a sequential serialized intentional attempt to knock on so many doors to test vulnerability, well that's just annoying and wrong, and possibly illegal,eh?
I have had a long standing bet as to how long it would take for someone to really nail most of the routers out there. It has always puzzled me how something like Linux or Windows can have a vulnerability of the week which is (usually) patched by most users in a flash. Yet there are many very old d-link, linksys, etc routers out there doing their thing without being massively attacked.
The closest that I have seen to a good widespread attack was when a certain DSL modem would crash when script-kiddies were attacking NT machines and the same attack jammed up that model DSL modem. That wasn't really an attack and it didn't amount to much.
So my bet still stands with modification: there will be an attack, it will be soon, it will be a worm, and people will (mostly) be blissfully unaware of (why is my internet so slow) it and certainly be incapable of dealing with it. Thus it will come down to the ISPs to deal with it which should be interesting to watch.
...Like I do, you may find the router's UPnP page mysteriously missing from the "Advanced" section of your admin panel. This is a brilliant move on their part to avoid users breaking their skype/game access and then calling tech support.
But the page itself is still there. Only the link was removed. To get to it, visit : http://192.168.1.1/index.cgi?active%5fpage=900
Suck it, Verizon!
If computers were people, I'd be a misanthrope.
Almost all routers are not vulnerable, if you are smart enough to uncheck the UPnP box. I haven't seen many where you can't disable it. and as has been pointed out elsewhere. Running a firewall where any malware can request a gapping hole in it sort of defeats the purpose.
These flaws are already a non-issue to anyone who takes security seriously. The problem is that the average user leaves things as they come from the factory, and they come from the factory vulnerable.