Homeland Security: Disable UPnP, as tens of millions at risk

For discussions about security.
Message
Author
User avatar
Flash
Official Dog Handler
Posts: 13071
Joined: Wed 04 May 2005, 16:04
Location: Arizona USA

Homeland Security: Disable UPnP, as tens of millions at risk

#1 Post by Flash »

Homeland Security: Disable UPnP, as tens of millions at risk
UPnP, or Universal Plug and Play, allows devices that connect to networks, to communicate seamlessly with one another and discover each other's presence. Devices can then connect over a network to share files, print documents, and access other shared resources.

"Multiple vulnerabilities have been announced in libupnp, the open source portable SDK for UPnP devices. Libupnp is employed by hundreds of vendors for UPnP-enabled devices," the U.S. Computer Emergency Readiness Team (US-CERT) said in a note published today.

"US-CERT recommends that affected UPnP device vendors and developers obtain and employ libupnp version 1.6.18, which addresses these vulnerabilities."

It is understood from Rapid7's findings that there are numerous bugs with the protocol, which could ultimately put at risk tens of millions of networked devices—especially those connected directly to the Internet.

It then warns to "disable UPnP (if possible)," along with restricting networking protocols and ports, including Simple Service Discovery Protocol (SSDP) and Simple Object Access Protocol (SOPA) services from untrusted networks, including the Internet.

The risk is that hackers could "execute arbitrary code on the device or cause a denial of service," or in other words: install malware on your computer and/or run it as part of a botnet.

Along with this, hackers could access confidential documents, steal usernames and passwords, take over PCs, and remotely access networked devices, such as webcams, printers, televisions, security systems, and other devices plugged in or wireless connected to networks.

Most networking devices in fact use UPnP, including computers running Windows, Apple's OS X, and Linux. Many mobile devices also use UPnP to print to wireless or networked printers.

jpeps
Posts: 3179
Joined: Sat 31 May 2008, 19:00

#2 Post by jpeps »

Thanks. There's a simple switch at grc.com that worked nicely on my XP computer.

User avatar
8-bit
Posts: 3406
Joined: Wed 04 Apr 2007, 03:37
Location: Oregon

#3 Post by 8-bit »

Of course, you realize that most computer users will not know jack about how to disable UPnP and will only get the updated one through a Windows update, a downloadable executable update utility, or specific information on how to disable UPnP.

User avatar
Barkin
Posts: 803
Joined: Fri 12 Aug 2011, 04:55

#4 Post by Barkin »

jpeps wrote:... There's a simple switch at grc.com that worked nicely on my XP computer.
Wouldn't grc's "shield's up" reveal this type of weakness ? ... https://en.wikipedia.org/wiki/Shields_Up

jpeps
Posts: 3179
Joined: Sat 31 May 2008, 19:00

#5 Post by jpeps »

Barkin wrote:
jpeps wrote:... There's a simple switch at grc.com that worked nicely on my XP computer.
Wouldn't grc's "shield's up" reveal this type of weakness ? ... https://en.wikipedia.org/wiki/Shields_Up
No. From Shields_Up, download "UnPlug n' Pray" from the freeware/security tab (windows only).

User avatar
8-bit
Posts: 3406
Joined: Wed 04 Apr 2007, 03:37
Location: Oregon

#6 Post by 8-bit »

The direct link to the UnPlug and Pray file is https://www.grc.com/unpnp/unpnp.htm.
This file is for disabling UPnP in all versions of windows with the option to re enable UPnP.
It is NOT for linux.

User avatar
prehistoric
Posts: 1744
Joined: Tue 23 Oct 2007, 17:34

#7 Post by prehistoric »

Are we in a time warp? Security problems with UPnP have been around -- and known -- since at least the introduction of Windoze XP. Here's a site which has existed for a looong time.

Note: He presented a paper at a conference in 2006! This was not simply an academic vulnerability, the conficker worm, with which many of us have had a tussle, exploited this hole years ago.

User avatar
Q5sys
Posts: 1105
Joined: Thu 11 Dec 2008, 19:49
Contact:

#8 Post by Q5sys »

problem is most PC users WANT this kind of feature. The dont want to have to mount a drive. So I think this advice will not be followed by most people.

jpeps
Posts: 3179
Joined: Sat 31 May 2008, 19:00

#9 Post by jpeps »

Q5sys wrote:problem is most PC users WANT this kind of feature. The dont want to have to mount a drive. So I think this advice will not be followed by most people.
I didn't notice it affecting anything on the XP...still mounts flashdrives the same. Maybe there are some devices that use it. The vulnerability was announced by Microsoft back in December of 2001.

User avatar
Q5sys
Posts: 1105
Joined: Thu 11 Dec 2008, 19:49
Contact:

#10 Post by Q5sys »

jpeps wrote:
Q5sys wrote:problem is most PC users WANT this kind of feature. The dont want to have to mount a drive. So I think this advice will not be followed by most people.
I didn't notice it affecting anything on the XP...still mounts flashdrives the same. Maybe there are some devices that use it. The vulnerability was announced by Microsoft back in December of 2001.
I kinda over generalized there... Auto mount is built on top of PnP. Afterall the computer has to recognize that the USB device IS a drive in order to mount it. Automount is the vector used for most of the USB virii.

As for PnP, it covers the ability to be able to plug a device into your computer and your computer know what it is. If you go back to say Win 95 and before... you could plug in hardware, but the computer woudlnt even know it was there until you installed the drivers and program then told the computer, where to go for the device.

Referencing Win XP: http://www.microsoft.com/resources/docu ... x?mfr=true

User avatar
rcrsn51
Posts: 13096
Joined: Tue 05 Sep 2006, 13:50
Location: Stratford, Ontario

#11 Post by rcrsn51 »

The issue here is not about PnP. It's uPnP, which really should have been named "Network Plug'nPlay".

Your network probably has devices with built-in web servers, like your router or networked printers. Ordinarily, you would access the device by launching your web browser and entering the IP address of the device.

In XP, open My Network Places. One of the tasks is "Show icons for networked uPnP devices". This will open a port in your firewall so Windows can now access these devices directly by clicking an icon.

Supposedly, this open port is now a point of vulnerability. But I suspect that the real issue is what your router is doing. Is it also exposing these uPnp devices to the WAN?

Wognath
Posts: 423
Joined: Sun 19 Apr 2009, 17:23

#12 Post by Wognath »

Using UPnP to stream media between computers in your own house does not require UPnP to be enabled on your router, nor does it pose any security risk.
http://lifehacker.com/5803975
Am I right in concluding that if UPnP is disabled on the wireless router of a home network, there is no need to disable it on the computers?

gcmartin

#13 Post by gcmartin »

Wognath wrote:
Using UPnP to stream media between computers in your own house does not require UPnP to be enabled on your router, nor does it pose any security risk.
http://lifehacker.com/5803975
Am I right in concluding that if UPnP is disabled on the wireless router of a home network, there is no need to disable it on the computers?
YES!

UPnP is a method for devices you purchase to use the LAN most often to sometimes send to a vendor's website.

If it's shutoff at the router, when a PC or device attempts to use it for discovery it cannot work.

Again as @Rcrsn51 point out, correctly, this is a LAN related issue and excepting is some very odd networks requires router participation to operate.

Further understanding of the uses and benefits and drawbacks can be found here.

Hope this helps

Wognath
Posts: 423
Joined: Sun 19 Apr 2009, 17:23

#14 Post by Wognath »

Thanks, gcmartin, very helpful.

jpeps
Posts: 3179
Joined: Sat 31 May 2008, 19:00

#15 Post by jpeps »

You’ve probably never checked whether your Internet router is set by default to use a harmless-sounding protocol called Universal Plug and Play. If it does, now’s a good time to turn it off.
http://www.forbes.com/sites/andygreenbe ... rity-bugs/

User avatar
prehistoric
Posts: 1744
Joined: Tue 23 Oct 2007, 17:34

#16 Post by prehistoric »

As rcrsn51 points out, this is primarily a network insecurity, but system crackers can use any hole to compromise everything else.

Part of the problem is that the OS, (like XP originally,) opens ports in firewalls in order to use UPnP. One common cause system vulnerability to network attacks is that ports get opened for one purpose, then stay open. After a while the firewall begins to look like Swiss cheese.

Another aspect is that people configuring things so they can use them inadvertently open still other vulnerabilities. (When your system passes tests on the Shields-Up site, it offers little for a remote attacker to exploit.) Simply getting a networked printer to work can be such a frustrating experience that people in a hurry to print a report or school assignment may drastically compromise their network security. An attacker who knows what people commonly do in response to problems installing a particular printer can greatly speed up his rate of productive attacks by looking for systems where that printer model advertises its presence.

Routers play a key role, and more often than not, they are poorly configured. I keep finding routers with remote management enabled -- and the default password still present! What happens after this error is not limited by simple explanations. You may end up doing all your banking via Mexico. Most routers now have the ability to update firmware via the Internet. Some can support sophisticated Open Source firmware like DDWRT. (If an attacker can install this they can do just about anything. Fortunately, attackers with this kind of skill are rare.) Even without modifying firmware, an attacker who gains control of a router can create vulnerabilities, then lock you out.

I have a (non-wireless) router nearby which was converted to a brick by a remote update attempt. The person who gave it to me didn't even know remote firmware updates were possible.

@Wognath, there is generally no need for UPnP unless you are installing network devices. Best to leave it disabled on your computer at other times.

I've heard any number of arguments over cracking systems via the Internet versus LAN vulnerabilities. These tend to focus on vulnerable devices rather than people, getting the questions backwards.

I just had to explain to some friends that the network password on their home network, which they had been giving to friends who wanted to use their iPhones or Android phones for Internet access, also gave access to the whole LAN. An error in configuring sharing there will compromise your private data. Even if your next door neighbor is a fine upstanding sort, he might naively give your password to his deadbeat teenage hacker son.

The next level of debate involved the "guest" network I set up on their wireless for friends who just wanted Internet access at their house. They originally had the default password "guest". This might be OK if you were sure there were no pedophiles next door. Otherwise, you might find the police at the door with a search warrant some day. (It turned out they were concerned about one neighbor.)

They now have fairly weak passwords on the "guest" network. I'll remind them to change these once in a while. Access to private information is protected by stronger passwords. Nothing provides absolute security, but making it require effort to crack a system, without unduly inconveniencing everyone honest, will usually work. Make life too difficult for honest people, and they will disable security measures.

User avatar
rcrsn51
Posts: 13096
Joined: Tue 05 Sep 2006, 13:50
Location: Stratford, Ontario

#17 Post by rcrsn51 »

I own a little NAS box. It is set up to get an IP address by DHCP. It is Samba-compatible, so any Puppy client can detect it OOTB. I don't need to know its IP address.

It also has a web-based admin server. To access it, I have to scan my network for open Port 80's. Then I can run the admin tools through my web browser by using the IP address as the URL.

The same is true with XP. But in XP I have the option to turn on detection of uPnP devices. Now the NAS box shows up automatically in Network Places, so I don't need to hunt for its IP address.

From a security point of view, there is no real difference. Either way, an attacker could eventually find the box. But that assumes that an external attacker could even see inside my LAN, since it is hiding behind my router.

(But as Prehistoric pointed out, once you give someone the credentials to your wifi access point, you have made them members of your LAN!)

In theory, if an attacker could find the device, he could then use some exploit like a buffer overflow to compromise the service running on the open uPnP port.

But my NAS box also has a "cloud" feature where you can make it visible to external Internet users. One of the options is "Automatic Port Forward". Supposedly, this uses the uPnP protocols to tell a compatible router to open a hole to the box.

This option was set ON by default. From here:
The Universal Plug and Play protocol (UPnP) provides a feature to automatically install instances of port forwarding in residential Internet gateways. UPnP defines the Internet Gateway Device Protocol (IGD) which is a network service by which an Internet gateway advertises its presence on a private network via the Simple Service Discovery Protocol (SSDP). An application that provides an Internet-based service may discover such gateways and use the UPnP IGD protocol to reserve a port number on the gateway and cause the gateway to forward packets to its listening socket.
Why would any router allow this to happen invisibly?

Concerning printers: A client, either Linux or Windows, does NOT need uPnP to set up a networked printer. For example, CUPS searches your network for open Port 9100s. A Windows installer may be looking for some proprietary port.

However, if you have a uPnp-capable printer that also enabled port forwarding on your router, then you have a potential problem.

nooby
Posts: 10369
Joined: Sun 29 Jun 2008, 19:05
Location: SwedenEurope

#18 Post by nooby »

One would need someone good at explaining to noobs like me
how to do it on Puppy Linux. I don't trust I would get the text
on those links they talk about XP and not puppy.

I have a Dlink router and a Belkin and a Thomson
but use the D-Link just now.

What am I suppose to do?
I use Google Search on Puppy Forum
not an ideal solution though

User avatar
rcrsn51
Posts: 13096
Joined: Tue 05 Sep 2006, 13:50
Location: Stratford, Ontario

#19 Post by rcrsn51 »

nooby wrote:What am I suppose to do?
Probably nothing and you will be OK. But if you are really concerned, do the following.

1. Determine the IP address of your router. For example, if your own address is 192.168.2.14, then your router is probably 192.168.2.1.

2. Open a web browser and type in the IP address as the URL.

3. Look through the screens for any mention of uPnp. Don't change anything!

Wognath
Posts: 423
Joined: Sun 19 Apr 2009, 17:23

#20 Post by Wognath »

@nooby: my router manufacturer (Zyxel) recommended disabling UPnP. It's in the router's web management menus. I had to uncheck "enable WPS" and UPnP was disabled. It was my understanding that UPnP allows someone to join my network with a pin number of 8-digits, 4 of which are somewhat predictable.

edit: the Shields Up service at grc.com has a UPnP tester

If I understand, there is also intra-network UPnP on the individual XP computers which is not a security concern. I think this is not a Linux issue at all--but I hope the experts will confirm this. Following the advice of prehistoric, 8-bit and others, I'll probably disable that too since I don't use it, I think--I'll find out!
Last edited by Wognath on Fri 01 Feb 2013, 16:28, edited 1 time in total.

Post Reply