Security researchers are warning businesses and consumers to immediately disable Universal Plug and Play (UPnP) functions on thousands of networked device products after revealing common flaws that can be easily exploited by a remote attacker.
Researchers at security firm Rapid7, led by founder of the Metasploit penetration testing framework HD Moore, released details of the vulnerabilities in a whitepaper on Tuesday, drawing attention to long-running security issues with the UPnP protocol.
UPnP enables discovery and service configuration between computers and network-enabled devices, including routers, printers, media servers, smart TVs and NAS devices.
The researchers found several major problems with UPnP implementations across thousands of devices that leaves millions of systems exposed to discovery over the internet when they should only be visible in local or trusted networks.
For example, a component of UPnP called Simple Service Discovery Protocol (SSDP) allows devices to discover each other on a local network. However, after sending a UPnP SSDP request to every IPv4 address on the internet once a week for over five months, the researchers found 80 million unique IPs exposed a device’s SSDP service to the internet due to being misconfigured by vendors.
The scans also found that Simple Object Access Protocol (SOAP) services in UPnP, used to provide functions between devices on a trusted network, was misconfigured by over 1,500 vendors and 6,900 devices, exposing them to the internet.
In addition, 23 million systems were exposed to a remote code execution flaw in the “libupnp” library contained in the Intel SDK for UPnP and Portable SDK for UPnP devices.
An update for libupnp was released on Tuesday, however Moore warned that it would take a long time for vendors to implement it while products that do not ship any longer will not be updated at all.
Vendors that have confirmed their network devices are impacted by the vulnerabilities include Fujitsu, Huaweui, NEC, Siemens and Sony, 3com, while dozens more remain unconfirmed.
In all, CERT CC notified over 200 vendors and issued an alert today advising to disable UPnP on the device if it was not necessary.
It also advised to configure the firewall to block untrusted hosts from accessing port 1900 over UDP.
“We strongly suggest that end users, companies, and ISPs take immediate action to identify and disable any internet-exposed UPnP endpoints in their environments,” said Moore.
“UPnP is pervasive - it is enabled by default on many home gateways, nearly all network printers, and devices ranging from IP cameras to network storage servers.”
Rapid 7 also released its ScanNow tool to detect networked devices that might be vulnerable to attack through UPnP.