UPnP Trouble Puts Devices Behind Firewall at Risk

Share this…

Security vulnerabilities in UPnP continue to crop up and continue to put millions of home networking devices at risk for compromise.

The latest was revealed in early August, but prompted an advisory yesterday from the DHS-sponsored CERT at the Software Engineering Institute at Carnegie Mellon University. It’s called Filet-o-Firewall and it combines a number vulnerabilities and weaknesses in routing protocols and browsers, conspiring to expose networked devices behind a firewall to the open Internet.

The primary target is the UPnP service running on commodity home routers, and according to the advisory and research disclosed by researcher Grant Harrelson, attacks can happen in fewer than 20 seconds and any router running UPnP is at risk.

Exploits against the vulnerability get an attacker on the network, but doesn’t directly put users’ personal data at risk. It’s not a big leap, however, for a skilled hacker to find other existing vulnerabilities to target other devices or information stored on the network.

The attacks, Harrelson’s research concludes, work using either Chrome or Firefox to visit a website hosting exploit code. If the browser is configured to run JavaScript, the attack will force the browser to make UPnP requests to their firewall, exposing the network to attack.

“An attacker that exploits the Filet-O-Firewall vulnerability would be able to expose any/all devices behind a user’s firewall directly to the internet,” says a summary on the Filet-o-Firewall site. “The process can be made nearly transparent to the end-user without the user installing or running any application.  The user must simply browse to the attacker’s website using an affected browser with JavaScript enabled.”

A list of affected routers is being compiled on the website, and the researcher is asking for help in adding vulnerable devices to the list.

“This vulnerability is logic based and does not reside in a specific piece of code.  It is a result of many different attacks combined into one and designed to target the UPnP service on home routers,” the site says.

According to the CERT advisory, routers that implement UPnP don’t randomize UUIDs in the UPnP control URL and don’t implement UPnP security standards. Because UPnP was built for use on private networks, it lacks sufficient authentication; subsequent efforts to build and roll out security standards for the protocol have not been fully implemented, leaving many devices wide open. Researcher HD Moore, CSO of security company Rapid7 in 2013 published research that showed that of 80 million devices responding to UPnP requests on the Internet, up to 50 million were vulnerable to a handful of attacks.

From the CERT advisory:

“Poor adoption of the security standard may broadly open up opportunities for an attacker with private network access to guess the UPnP Control URLs for many devices currently on the market. If the guess is correct, the attacker may utilize UPnP to make changes to the home router’s configuration such as opening ports and enabling services that allow an attacker further access to the network. A correct guess is likely, due to many manufacturers’ use of standardized UPnP Control URL names.”

Successful exploits of the Filet-o-Firewall vulnerability could allow an attacker to open firewall ports and issue administrative commands on a router. There are no vendor patches for the flaws, yet CERT advises a number of workarounds, ranging from disabling UPnP to randomizing UPnP UUID and URLs, which would mitigate brute-force attacks.

The Filet-o-Firewall site spells out an attack step-by-step that would take seconds to pull off on a modern computer.

“If the attacker has the port number and control URL, it is very feasible to setup a server to perform the attack,” the site says. “Again, the user would have to visit the vulnerable website, but that could be achieved through social engineering, XSS, etc.”