Disable ‘UPnP’ on networked devices now, say researchers

  • Liam Tung (CSO Online)
  • — 30 January, 2013 08:31

Security researchers are warning businesses and consumers to immediately disable Universal Plug and Play (UPnP) functions on thousands of networked device products after revealing common flaws that can be easily exploited by a remote attacker.

Researchers at security firm Rapid7, led by founder of the Metasploit penetration testing framework HD Moore, released details of the vulnerabilities in a whitepaper on Tuesday, drawing attention to long-running security issues with the UPnP protocol.

UPnP enables discovery and service configuration between computers and network-enabled devices, including routers, printers, media servers, smart TVs and NAS devices.

The researchers found several major problems with UPnP implementations across thousands of devices that leaves millions of systems exposed to discovery over the internet when they should only be visible in local or trusted networks.

For example, a component of UPnP called Simple Service Discovery Protocol (SSDP) allows devices to discover each other on a local network. However, after sending a UPnP SSDP request to every IPv4 address on the internet once a week for over five months, the researchers found 80 million unique IPs exposed a device’s SSDP service to the internet due to being misconfigured by vendors.

The scans also found that Simple Object Access Protocol (SOAP) services in UPnP, used to provide functions between devices on a trusted network, was misconfigured by over 1,500 vendors and 6,900 devices, exposing them to the internet.      

In addition, 23 million systems were exposed to a remote code execution flaw in the “libupnp” library contained in the Intel SDK for UPnP and Portable SDK for UPnP devices.

An update for libupnp was released on Tuesday, however Moore warned that it would take a long time for vendors to implement it while products that do not ship any longer will not be updated at all.

Vendors that have confirmed their network devices are impacted by the vulnerabilities include Fujitsu, Huaweui, NEC, Siemens and Sony, 3com, while dozens more remain unconfirmed.

In all, CERT CC notified over 200 vendors and issued an alert today advising to disable UPnP on the device if it was not necessary.

It also advised to configure the firewall to block untrusted hosts from accessing port 1900 over UDP. 

“We strongly suggest that end users, companies, and ISPs take immediate action to identify and disable any internet-exposed UPnP endpoints in their environments,” said Moore.

“UPnP is pervasive - it is enabled by default on many home gateways, nearly all network printers, and devices ranging from IP cameras to network storage servers.”

Rapid 7 also released its ScanNow tool to detect networked devices that might be vulnerable to attack through UPnP.


Tags: Huawei, siemens, Vulnerabilities, network devices, UPnP, CERT CC, Plug and Play, Fujitsu, 3Com, ScanNow, Rapid7, security, firewall, security researchers, sony

Organizations suffer SQL Injection attacks, but do little to prevent them

READ THIS ARTICLE
DO NOT SHOW THIS BOX AGAIN [ x ]
Comments are now closed.
CSO Corporate Partners
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

ZENworks® Endpoint Security Management

Secure, identity-based protection for your endpoints

Latest Jobs
Security Awareness Tip

Incident handling is a vast topic, but here are a few tips for you to consider in your incident response. I hope you never have to use them, but the odds are at some point you will and I hope being ready saves you pain (or your job!).


  1. Have an incident response plan.

  2. Pre-define your incident response team 

  3. Define your approach: watch and learn or contain and recover.

  4. Pre-distribute call cards.

  5. Forensic and incident response data capture.

  6. Get your users on-side.

  7. Know how to report crimes and engage law enforcement. 

  8. Practice makes perfect.

For the full breakdown on this article

Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.