Hash: SHA1

             AUSCERT External Security Bulletin Redistribution

                       ESB-2008.0068 -- [Appliance]
                           Vulnerability in UPnP
                               8 April 2008


        AusCERT Security Bulletin Summary

Product:              UPnP
Publisher:            US-CERT
Impact:               Execute Arbitrary Code/Commands
                      Modify Arbitrary Files
                      Inappropriate Access
Access:               Remote/Unauthenticated
CVE Names:            CVE-2008-1654

Revision History:  April    8 2008: Added CVE information
                   January 18 2008: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

Vulnerability Note VU#347812
UPnP enabled by default in multiple devices


        Multiple vendors ship devices with UPnP enabled by default. By 
        convincing a user to open a malicious URL, an attacker may be able 
        to remotely control or configure UPnP enabled devices.

I. Description

        Universal Plug and Play (UPnP) is a collection of protocols 
        maintained and distributed by the UPnP Forum. UPnP is designed to 
        allow network devices to easily connect to each other. UPnP enabled 
        applications may be able to control other UPnP enabled devices such 
        as firewalls or routers automatically and without authentication. 
        Some applications may rely on UPnP to automatically open ports on 
        routers or automatically set other parameters on compatible devices.

        Multiple vendors ship devices with UPnP enabled by default. These 
        devices may be configured to only listen for UPnP requests on local 
        networks or wireless interfaces. By using browser plugins that 
        execute in the context of the local system, an attacker may be able 
        to send UPnP messages to local devices without authentication. One 
        researcher has demonstrated an attack vector that uses the Adobe 
        Flash plugin.

        Note that to successfully exploit this vulnerability an attacker 
        would need to be able to guess the IP address of an affected device. 
        This IP address may also be enumerated through browser headers or 
        other methods.

II. Impact

        By convincing a victim to click on a link in an HTML document (web 
        page, HTML email), an attacker could issue any command or change any 
        configuration that can be set via UPnP on an affected device. If the 
        affected device is providing routing or firewalling services to 
        clients, an attacker may be able to change firewall and port 
        forwarding rules, modify DNS settings, change wireless encryption 
        keys, or set arbitrary administration passwords.

III. Solution

       We are currently unaware of a practical solution to this problem.

       Workarounds for administrators

       * UPnP should be disabled on devices that are being use to enforce 
         security policies or are connected to untrusted networks, such as 
         the Internet. 
       * Filtering the IGMP protocol between LAN segments may prevent UPnP 
         devices from connecting to networks that they are not authorized to 

        Workarounds for users

       * Disabling UPnP on network devices will mitigate this vulnerability. 
         Note that disabling UPnP will cause any devices or applications 
         that rely on UPnP to fail or operate with reduced functionality.
       * Disabling UPnP in desktop operating systems may prevent an attacker 
         from exploiting this vulnerability. Microsoft Windows XP users 
         should see the workarounds section of Microsoft Security Bulletin 
         MS07-019 for instructions on how to disable UPnP.
       * Using the Mozilla Firefox NoScript extension to whitelist web sites 
         that can run scripts and access installed plugins may prevent this 
         vulnerability from being exploited.
       * Using host-based firewalls to filter ports 1900/udp and 2869/tcp 
         both inbound and outbound may prevent this vulnerability from being 
         exploited by blocking the ports that UPnP uses. Note that the 
         Windows Vista firewall blocks UPnP by default. This workaround may 
         not be able to prevent exploitation of this vulnerability.

Systems Affected

Vendor	                                          Status	Date Updated
3com, Inc.	                                  Unknown	15-Jan-2008
Alcatel	                                          Unknown	15-Jan-2008
Apple Computer, Inc.	                          Unknown	15-Jan-2008
AT&T	                                          Unknown	15-Jan-2008
Avaya, Inc.	                                  Unknown	15-Jan-2008
Avici Systems, Inc.	                          Unknown	15-Jan-2008
Borderware Technologies	                          Unknown	15-Jan-2008
Bro	                                          Unknown	15-Jan-2008
CentOS	                                          Unknown	15-Jan-2008
Charlotte's Web Networks                          Unknown	15-Jan-2008
Check Point Software Technologies                 Unknown	15-Jan-2008
Cisco Systems, Inc.	                          Unknown	15-Jan-2008
Clavister	                                  Unknown	15-Jan-2008
Computer Associates	                          Unknown	15-Jan-2008
Computer Associates eTrust Security Management	  Unknown	15-Jan-2008
Conectiva Inc.	                                  Unknown	15-Jan-2008
Cray Inc.	                                  Unknown	15-Jan-2008
D-Link Systems, Inc.	                          Unknown	15-Jan-2008
Data Connection, Ltd.	                          Unknown	15-Jan-2008
Debian GNU/Linux	                          Unknown	15-Jan-2008
EMC Corporation	                                  Unknown	15-Jan-2008
Engarde Secure Linux	                          Unknown	15-Jan-2008
Enterasys Networks	                          Unknown	15-Jan-2008
Ericsson	                                  Unknown	15-Jan-2008
eSoft, Inc.	                                  Unknown	15-Jan-2008
Extreme Networks	                          Unknown	15-Jan-2008
F5 Networks, Inc.	                          Unknown	15-Jan-2008
Fedora Project	                                  Unknown	15-Jan-2008
Force10 Networks, Inc.	                          Unknown	15-Jan-2008
Fortinet, Inc.	                                  Unknown	15-Jan-2008
Foundry Networks, Inc.	                          Unknown	15-Jan-2008
FreeBSD, Inc.	                                  Unknown	15-Jan-2008
Fujitsu	                                          Unknown	15-Jan-2008
Gentoo Linux	                                  Unknown	15-Jan-2008
Global Technology Associates	                  Unknown	15-Jan-2008
Hewlett-Packard Company	                          Unknown	15-Jan-2008
Hitachi	                                          Unknown	15-Jan-2008
Hyperchip	                                  Unknown	15-Jan-2008
IBM Corporation	                                  Unknown	15-Jan-2008
IBM Corporation (zseries)	                  Unknown	15-Jan-2008
IBM eServer	                                  Unknown	15-Jan-2008
Ingrian Networks, Inc.	                          Unknown	15-Jan-2008
Intel Corporation	                          Unknown	15-Jan-2008
Internet Security Systems, Inc.	                  Unknown	15-Jan-2008
Intoto	                                          Unknown	15-Jan-2008
IP Filter	                                  Unknown	15-Jan-2008
Juniper Networks, Inc.	                          Unknown	15-Jan-2008
Linksys (A division of Cisco Systems)	          Unknown	15-Jan-2008
Lucent Technologies	                          Unknown	15-Jan-2008
Luminous Networks	                          Unknown	15-Jan-2008
m0n0wall	                                  Unknown	15-Jan-2008
Mandriva, Inc.	                                  Unknown	15-Jan-2008
McAfee	                                          Unknown	15-Jan-2008
Microsoft Corporation	                          Unknown	15-Jan-2008
MontaVista Software, Inc.	                  Unknown	15-Jan-2008
Multinet (owned Process Software Corporation)	  Unknown	15-Jan-2008
Multitech, Inc.	                                  Unknown	15-Jan-2008
NEC Corporation	                                  Unknown	15-Jan-2008
NetBSD	                                          Unknown	15-Jan-2008
netfilter	                                  Unknown	15-Jan-2008
Netgear, Inc.	                                  Unknown	15-Jan-2008
Network Appliance, Inc.	                          Unknown	15-Jan-2008
NextHop Technologies, Inc.	                  Unknown	15-Jan-2008
Nokia	                                          Unknown	15-Jan-2008
Nortel Networks, Inc.	                          Unknown	15-Jan-2008
Novell, Inc.	                                  Unknown	15-Jan-2008
OpenBSD	                                          Unknown	15-Jan-2008
Openwall GNU/*/Linux	                          Unknown	16-Jan-2008
QNX, Software Systems, Inc.	                  Unknown	15-Jan-2008
RadWare, Inc.	                                  Unknown	15-Jan-2008
Red Hat, Inc.	                                  Unknown	15-Jan-2008
Redback Networks, Inc.	                          Unknown	15-Jan-2008
Riverstone Networks, Inc.	                  Unknown	15-Jan-2008
Secure Computing Network Security Division	  Unknown	15-Jan-2008
Secureworx, Inc.	                          Unknown	15-Jan-2008
Silicon Graphics, Inc.	                          Unknown	15-Jan-2008
Slackware Linux Inc.	                          Unknown	15-Jan-2008
SmoothWall	                                  Unknown	15-Jan-2008
Snort	                                          Unknown	15-Jan-2008
Sony Corporation	                          Unknown	15-Jan-2008
Sourcefire	                                  Unknown	15-Jan-2008
Stonesoft	                                  Unknown	15-Jan-2008
Sun Microsystems, Inc.	                          Unknown	15-Jan-2008
SUSE Linux	                                  Unknown	15-Jan-2008
Symantec, Inc.	                                  Unknown	15-Jan-2008
The SCO Group	                                  Unknown	15-Jan-2008
TippingPoint, Technologies, Inc.	         Not Vulnerable	16-Jan-2008
Trustix Secure Linux	                          Unknown	15-Jan-2008
Turbolinux	                                  Unknown	15-Jan-2008
Ubuntu	                                          Unknown	15-Jan-2008
Unisys	                                          Unknown	15-Jan-2008
Watchguard Technologies, Inc.	                  Unknown	15-Jan-2008
Wind River Systems, Inc.	                  Unknown	15-Jan-2008
ZyXEL	                                          Unknown	15-Jan-2008




Information about this vulnerability was released by PDP on the GNUCITIZEN website.

This document was written by Ryan Giobbi.
Other Information
Date Public	        01/15/2008
Date First Published	01/15/2008 01:47:51 PM
Date Last Updated	01/16/2008
CERT Advisory	 
CVE Name	 
Metric	                9.83
Document Revision	52

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.

Comment: http://www.auscert.org.au/render.html?it=1967