Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2013.0122 Portable SDK for UPnP Devices (libupnp) contains multiple buffer overflows in SSDP 30 January 2013 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: libupnp Publisher: US-CERT Operating System: Linux variants Network Appliance Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2012-5965 CVE-2012-5964 CVE-2012-5963 CVE-2012-5962 CVE-2012-5961 CVE-2012-5960 CVE-2012-5959 CVE-2012-5958 Original Bulletin: http://www.kb.cert.org/vuls/id/922681 Comment: As this library is used by many different devices from numerous vendors, it is recommended that administrators apply the following mitigation until patches are available for specific devices: Deploy firewall rules to block untrusted hosts from being able to access port 1900/udp and consider disabling UPnP on the device if it is not absolutely necessary. - --------------------------BEGIN INCLUDED TEXT-------------------- Vulnerability Note VU#922681 Portable SDK for UPnP Devices (libupnp) contains multiple buffer overflows in SSDP Original Release date: 29 Jan 2013 | Last revised: 29 Jan 2013 The Portable SDK for UPnP Devices libupnp library contains multiple buffer overflow vulnerabilities. Devices that use libupnp may also accept UPnP queries over the WAN interface, therefore exposing the vulnerabilities to the internet. Description Universal Plug and Play (UPnP) is a set of network protocols designed to support automatic discovery and service configuration. The Portable SDK for UPnP Devices (libupnp) has its roots in the Linux SDK for UPnP Devices and software from Intel (Intel Tools for UPnP Technologies and later Developer Tools for UPnP Technologies). Many different vendors produce UPnP-enabled devices that use libupnp. As part of a large scale security research project, Rapid7 investigated internet-connected UPnP devices and found, among other security issues, multiple buffer overflow vulnerabilities in the libupnp implementation of the Simple Service Discovery Protocol (SSDP). Rapid7's report summarizes these vulnerabilities: Portable SDK for UPnP Devices unique_service_name() Buffer Overflows The libupnp library, originally known as the Intel SDK for UPnP Devices and now maintained as the Portable SDK for UPnP Devices, is vulnerable to multiple stack-based buffer overflows when handling malicious SSDP requests. This library is used by tens of millions of deployed network devices, of which approximately twenty million are exposed directly to the internet. In addition to network devices, many streaming media and file sharing applications are also exposed to attack through this library. This advisory does not address historic or current vulnerabilities in the HTTP and SOAP processing code of libupnp. Affected Versions Versions 1.2 (Intel SDK) and 1.2.1a - 1.8.0 (Portable SDK) are affected by at least three remotely exploitable buffer overflows in the unique_service_name() function, which is called to process incoming SSDP requests on UDP port 1900. Additionally, versions prior to 1.6.17 are vulnerable to additional issues in the same function. Please see Appendix A for a review of the vulnerable code by version. Affected Vendors Hundreds of vendors have used the libupnp library in their products, many of which are acting as the home routers for consumer networks. Any application linking to libupnp is likely to be affected and a list of confirmed vendors and products is provided in Appendix B. Additional details may be found in a paper and advisory from Rapid7. Impact A remote, unauthenticated attacker may be able to execute arbitrary code on the device or cause a denial of service. Solution Apply an Update libupnp 1.6.18 has been released to address these vulnerabilities. Restrict Access Deploy firewall rules to block untrusted hosts from being able to access port 1900/udp. Disable UPnP Consider disabling UPnP on the device if it is not absolutely necessary. Vendor Information (Learn More) We attempted to notify more than 200 vendors identified by Rapid7 as running libupnp. The following list includes vendors who responded to our notification and vendors for whom we had existing security contact information. Vendor Status Date Notified Date Updated Cisco Systems, Inc. Affected 13 Dec 2012 29 Jan 2013 Fujitsu Technology Affected 10 Jan 2013 29 Jan 2013 Huawei Technologies Affected 13 Dec 2012 29 Jan 2013 Linksys Affected 13 Dec 2012 29 Jan 2013 NEC Corporation Affected 13 Dec 2012 29 Jan 2013 Siemens Affected 13 Dec 2012 29 Jan 2013 Sony Corporation Affected 13 Dec 2012 29 Jan 2013 Ubiquiti Networks Not Affected 09 Jan 2013 29 Jan 2013 3com Inc Unknown 13 Dec 2012 29 Jan 2013 Axis Unknown 13 Dec 2012 29 Jan 2013 Belkin, Inc. Unknown 13 Dec 2012 29 Jan 2013 D-Link Systems, Inc. Unknown 13 Dec 2012 29 Jan 2013 Debian GNU/Linux Unknown 13 Dec 2012 29 Jan 2013 EMC Corporation Unknown 13 Dec 2012 29 Jan 2013 Geexbox Unknown 11 Jan 2013 29 Jan 2013 ipitomy Unknown 08 Jan 2013 29 Jan 2013 Koukaam Unknown 10 Jan 2013 29 Jan 2013 Logitech Unknown 04 Jan 2013 29 Jan 2013 Motorola, Inc. Unknown 13 Dec 2012 29 Jan 2013 Netgear, Inc. Unknown 13 Dec 2012 29 Jan 2013 orb Networks Unknown 16 Jan 2013 29 Jan 2013 Pantech North America Unknown 13 Dec 2012 29 Jan 2013 Red Hat, Inc. Unknown 04 Dec 2012 29 Jan 2013 SFR Unknown 04 Jan 2013 29 Jan 2013 Sitecom Unknown 04 Jan 2013 29 Jan 2013 SMC Networks, Inc. Unknown 04 Jan 2013 29 Jan 2013 Synology Unknown 13 Dec 2012 29 Jan 2013 Texas Instruments Unknown 13 Dec 2012 29 Jan 2013 TP-Link Unknown 04 Jan 2013 29 Jan 2013 Ubuntu Unknown 04 Dec 2012 29 Jan 2013 Visual Tools Unknown 10 Jan 2013 29 Jan 2013 ZyXEL Unknown 13 Dec 2012 29 Jan 2013 CVSS Metrics (Learn More) Group Score Vector Base 10.0 AV:N/AC:L/Au:N/C:C/I:C/A:C Temporal 8.7 E:H/RL:OF/RC:C Environmental 6.6 CDP:L/TD:M/CR:M/IR:M/AR:M References * http://pupnp.sourceforge.net/ * https://community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play * https://community.rapid7.com/docs/DOC-2150 * https://community.rapid7.com/servlet/JiveServlet/download/2150-1-16596/SecurityFlawsUPnP.pdf * http://www.rapid7.com/resources/free-security-software-downloads/universal-plug-and-play-jan-2013.jsp * http://www.kb.cert.org/vuls/id/357851 * http://opentools.homeip.net/dev-tools-for-upnp * http://upnp.sourceforge.net/ Credit Thanks to HD Moore of Rapid7 for reporting this vulnerability, and Tod Beardsley for coordination support. This document was written by Jared Allar. Other Information CVE IDs: CVE-2012-5958 CVE-2012-5959 CVE-2012-5960 CVE-2012-5961 CVE-2012-5962 CVE-2012-5963 CVE-2012-5964 CVE-2012-5965 Date Public: 29 Jan 2013 Date First Published: 29 Jan 2013 Date Last Updated: 29 Jan 2013 Document Revision: 48 Feedback If you have feedback, comments, or additional information about this vulnerability, please send us email. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUQiLAO4yVqjM2NGpAQKOyA/9HrjPBbmB3JwPkPfcSNk+YX6dfOkzg6jg zBgfSnhPlMhZFmA11d6px6XvEuANUW+EcBu5Ungm0O+R9Sr1hwA+Prl6oPWC+Uqk T/j4uIMozYjGoj8RMSTX6eDBDEqKXX6WnDFd7CCSekUepS1RqUL6In/3+XJ/kkUA lmPbgJjyKMG86H/czLopDBYq8lC61Ns/We2SUI8DUDRtYO9/LZh0O91iiQRK0Lmt ZI8ZuxzT768tUXVyz5n0r7u+n8C17bSQTV23oA+yQ4x0MtU1yMEiM9wbx8F6fTVO PPdGmiI52Iukrr/fQ20wnuHmCSW5OJYGLfbHo8ESj23Vu53XYbf+JLmCbLRfntUt NQbxLWbc7+OV7BLPK2a0SxURZw7UlevhsiLLoveZIgihEfWxYeg6sVSS6wGfyj1A t1wp7DbBmYqhvN6a1CUJBsnmxB4WKLIWPxkKlGitVBkpnMzW8TGcVATgi0c3RCIN S4iZCXrDFXoReO0xzJcg8mUHk+9WgzDqDg788VxJb2EaEqkdhJGINhh6KCV8H0iX 3uoyy5JruCW4sobKD5Ybn+sq0hyhOmEpCjqhLoNMFoTd+9V/+jIZ5q/1Tz76i5ym e34PPwCB0a9TsQ4o7JBAcFAc1K1GysNFb7PHD+8lpQqaGH4UaAOrA2En+oXtSq0q urcOVhECnJ4= =CWSg -----END PGP SIGNATURE-----