A recent report from Akamai Technologies Inc. found that nearly 400 models of home routers across 73 brands are...
susceptible to a UPnP vulnerability. The report found that attackers are misusing the UPnP protocol for Network Address Translation injections. How is the UPnP protocol being abused, and what can threat actors use the vulnerability for?
Universal Plug and Play (UPnP) is a zero-configuration networking protocol that handles device and service discovery and the configuration of consumer devices and networks. UPnP-enabled devices can automatically establish working configurations with other devices when they connect to a network. Manually configuring such connections is something beyond most users.
One feature of UPnP is the automated negotiation and configuration of port opening/forwarding within a Network Address Translation networking environment. This enables devices on the network to open up ports to expedite the routing of traffic in and out of the network.
However, back in 2006, Armijn Hemel found that UPnP didn't properly handle network segmentation across WAN and LAN interfaces, which meant that a remote user could perform NAT injection into a remote device over the WAN -- basically the internet.
This flaw was never really resolved and, in 2013, security company Rapid7 found that there were 80 million devices from over 1,500 vendors that were still susceptible to this UPnP vulnerability. These devices expose privileged services on the WAN interface, as well as those that are meant to only be used by trusted devices on a LAN.
Akamai discovered that this attack vector is actively being used to conceal attack traffic and carry out distributed denial-of-service (DDoS) attacks, account hijacking and malware distribution.
UPnP uses the Simple Service Discovery Protocol (SSDP) to search for devices or services of interest on the network. The details needed to communicate with the TCP-enabled UPnP daemon display in the SSDP search response headers. An attacker can communicate directly with the UPnP daemon by modifying the URL to use the public-facing IP address rather than the LAN-scoped IP. If the device is vulnerable to injection, a Simple Object Access Protocol/XML payload can be crafted by the attacker to inject malicious NAT entries.
By injecting internet-routable hosts into the NAT table, the attacker can turn the router into a proxy server or obtain a login prompt for the router's admin interface by exposing the router's internal port 80 to the internet. It usually doesn't take long for an attacker to gain access to a device with administrative rights, as many devices still deploy default or weak credentials or do not use rate limits or alerts to prevent brute-force attacks against the device's admin account.
By compromising vulnerable devices, cybercriminals can hide the origin of their malicious traffic to bypass anticensorship, antispam and antiphishing controls; can carry out click fraud; can distribute malware; and can launch DDoS and various other attacks. When a router has been compromised in this way, its unwitting owner may appear to be the source of the attacks, while the real perpetrator remains hidden behind one or more layers of compromised routers.
It is difficult for users to test if a device is susceptible to the UPnP vulnerability, but there is a list of the nearly 400 models of home routers across 73 brands that are susceptible to the UPnP vulnerability at the end of Akamai's report. The best option for anyone that owns a vulnerable device is to replace it, as disabling UPnP services can negatively impact other areas of the network.
By voting with their wallets, hopefully users can force manufacturers to stop enabling protocols like UPnP on external interfaces on consumer devices. Carriers and ISPs also need to examine whether they should be allowing protocols that are meant for trusted LAN usage to traverse across their networks.
Ask the expert:
Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)
Dig Deeper on Penetration testing, ethical hacking and vulnerability assessments
Related Q&A from Michael Cobb
Sending sensitive information in attachments is inherently unsafe, and the main way to secure them -- encryption -- can be implemented inconsistently... Continue Reading
Spyware can steal mundane information, track a user's every move and everything in between. Read up on the types of spyware and how to best fix ... Continue Reading
Explore the differences between symmetric vs. asymmetric encryption algorithms, including common uses and examples of both, as well as their pros and... Continue Reading