Disable ‘UPnP’ on networked devices now, say researchers

Security researchers are warning businesses and consumers to immediately disable Universal Plug and Play (UPnP) functions on thousands of networked device products after revealing common flaws that can be easily exploited by a remote attacker.

Researchers at security firm Rapid7, led by founder of the Metasploit penetration testing framework HD Moore, released details of the vulnerabilities in a whitepaper on Tuesday, drawing attention to long-running security issues with the UPnP protocol.

UPnP enables discovery and service configuration between computers and network-enabled devices, including routers, printers, media servers, smart TVs and NAS devices.

The researchers found several major problems with UPnP implementations across thousands of devices that leaves millions of systems exposed to discovery over the internet when they should only be visible in local or trusted networks.

For example, a component of UPnP called Simple Service Discovery Protocol (SSDP) allows devices to discover each other on a local network. However, after sending a UPnP SSDP request to every IPv4 address on the internet once a week for over five months, the researchers found 80 million unique IPs exposed a device’s SSDP service to the internet due to being misconfigured by vendors.

The scans also found that Simple Object Access Protocol (SOAP) services in UPnP, used to provide functions between devices on a trusted network, was misconfigured by over 1,500 vendors and 6,900 devices, exposing them to the internet.      

In addition, 23 million systems were exposed to a remote code execution flaw in the “libupnp” library contained in the Intel SDK for UPnP and Portable SDK for UPnP devices.

An update for libupnp was released on Tuesday, however Moore warned that it would take a long time for vendors to implement it while products that do not ship any longer will not be updated at all.

Vendors that have confirmed their network devices are impacted by the vulnerabilities include Fujitsu, Huaweui, NEC, Siemens and Sony, 3com, while dozens more remain unconfirmed.

In all, CERT CC notified over 200 vendors and issued an alert today advising to disable UPnP on the device if it was not necessary.

It also advised to configure the firewall to block untrusted hosts from accessing port 1900 over UDP. 

“We strongly suggest that end users, companies, and ISPs take immediate action to identify and disable any internet-exposed UPnP endpoints in their environments,” said Moore.

“UPnP is pervasive - it is enabled by default on many home gateways, nearly all network printers, and devices ranging from IP cameras to network storage servers.”

Rapid 7 also released its ScanNow tool to detect networked devices that might be vulnerable to attack through UPnP.

Join the CSO newsletter!

Error: Please check your email address.

Tags VulnerabilitiessiemensHuaweinetwork devicesCERT CCUPnPPlug and PlayFujitsu3ComScanNowsecurityRapid7firewallsecurity researcherssony

More about CERT AustraliaFujitsu AustraliaIntelNASNECRapid7Rapid 7SiemensSony

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place