More than 1,500 vendors and 6,900 products encompassing millions of end user systems have been identified as vulnerable to one or more security flaws in the Universal Plug and Play (UPnP) protocol, according to a recently released study by security firm Rapid7. Although Rapid7 and CERT have worked to notify vendors, and many have responded with updates, researchers recommended disabling UPnP on all external-facing systems and critical devices.
UPnP is a protocol standard that allows for zero-configuration connections among networked devices such as routers, printers, network storage servers, smart home electronics and others. According to the Rapid7 study, many UPnP-enabled systems are exposed to the internet, making any vulnerabilities susceptible to remote execution.
“The UPnP protocol suffers from a number of basic security problems, many of which have been highlighted over the last twelve years,” researchers wrote. “Authentication is rarely implemented by device manufacturers, privileged capabilities are often exposed to untrusted networks, and common programming flaws plague common UPnP software implementations. These issues are endemic across UPnP-enabled applications and network devices.”
Pinpointing the risk
Over the course of five and a half months, researchers identified 81 million unique IP addresses that responded to a standard UPnP discovery request – slightly more than the networked population of Canada. While the UPnP Simple Service Discovery Protocol (SSDP) is intended solely for internal networks, misconfigurations in thousands of products currently allow external access. Twenty percent of IPs, or approximately 17 million, also exposed the UPnP Simple Object Access Protocol (SOAP) service, which can allow attackers to open holes in a firewall, to the internet. Researchers expressed surprise at the level of exposure.
Compounding the danger is the fact that more than 73 percent of the UPnP instances discovered through SSDP came from four software development kits (SDK). The Intel/Portable SDK for UPnP devices, which, across all versions, contains at least eight remote execution vulnerabilities, exposes around 23 million systems by itself. While the latest, refactored version of this SDK fixes all but two of these issues, researchers noted that many implementations of the code were outdated.
“Given the age of this code and the number of devices on which it is installed, one would assume it had been audited for security flaws at some point in the past,” they wrote. “…Keep in mind that almost a quarter of the libupnp-based systems were running a version of this SDK that is over a decade old and more than half are using a version of libupnp that is at least six years old.”
The buffer overflow exploits in this SDK are particularly dangerous because a system running the code could potentially be corrupted by a single spoofed UDP packet, researchers noted. These vulnerabilities have been fixed by version 1.6.18 of libupnp, but many devices are likely to remain unpatched.
Update problems have also plagued the second most-common UPnP implementation, MiniUPnPd, which handles firewall rule management in addition to network processes. Rapid7’s team found two issues in the MiniUPnP SSDP handler in versions prior to 1.4, as a remote stack buffer overflow in the SOAPAction handler of the HTTP service included with MiniUPnP version 1.0. While all of these issues have been addressed in the latest version, 67 percent of systems running MiniUPnP are still using version 1.0, researchers noted.
More than 200 vendors have been contacted about the UPnP vulnerabilities by CERT, and Rapid7 has released a scanning tool and guidelines for disabling UPnP. However, ensuring vendor and end user response remains a challenge, and many organizations remain exposed, Dark Reading noted.
“Most organizations don’t realize they even use UPnP, and disabling it can be tricky – not all devices support this,” Rapid7 CSO HD Moore said, according to the publication.
Manufacturers implementing UPnP or other third-party protocols should ensure they are using the latest, most secure versions of any embedded software. Developers building on existing code libraries can also take the time to use tools like static analysis to check for common software security problems such as buffer overflows. By implementing stronger coding practices throughout the development life cycle and taking the time to address potential UPnP vulnerabilities, vendors can avoid such large scale risks.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.