Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2013.0122
Portable SDK for UPnP Devices (libupnp) contains multiple
buffer overflows in SSDP
30 January 2013
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: libupnp
Publisher: US-CERT
Operating System: Linux variants
Network Appliance
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2012-5965 CVE-2012-5964 CVE-2012-5963
CVE-2012-5962 CVE-2012-5961 CVE-2012-5960
CVE-2012-5959 CVE-2012-5958
Original Bulletin:
http://www.kb.cert.org/vuls/id/922681
Comment: As this library is used by many different devices from numerous
vendors, it is recommended that administrators apply the following
mitigation until patches are available for specific devices:
Deploy firewall rules to block untrusted hosts from being able to
access port 1900/udp and consider disabling UPnP on the device if it
is not absolutely necessary.
- --------------------------BEGIN INCLUDED TEXT--------------------
Vulnerability Note VU#922681 Portable SDK for UPnP Devices (libupnp) contains
multiple buffer overflows in SSDP
Original Release date: 29 Jan 2013 | Last revised: 29 Jan 2013
The Portable SDK for UPnP Devices libupnp library contains multiple buffer
overflow vulnerabilities. Devices that use libupnp may also accept UPnP
queries over the WAN interface, therefore exposing the vulnerabilities to the
internet.
Description
Universal Plug and Play (UPnP) is a set of network protocols designed to
support automatic discovery and service configuration. The Portable SDK for
UPnP Devices (libupnp) has its roots in the Linux SDK for UPnP Devices and
software from Intel (Intel Tools for UPnP Technologies and later Developer
Tools for UPnP Technologies). Many different vendors produce UPnP-enabled
devices that use libupnp.
As part of a large scale security research project, Rapid7 investigated
internet-connected UPnP devices and found, among other security issues,
multiple buffer overflow vulnerabilities in the libupnp implementation of the
Simple Service Discovery Protocol (SSDP). Rapid7's report summarizes these
vulnerabilities:
Portable SDK for UPnP Devices unique_service_name() Buffer Overflows
The libupnp library, originally known as the Intel SDK for UPnP Devices
and now maintained as the Portable SDK for UPnP Devices, is vulnerable to
multiple stack-based buffer overflows when handling malicious SSDP
requests. This library is used by tens of millions of deployed network
devices, of which approximately twenty million are exposed directly to the
internet. In addition to network devices, many streaming media and file
sharing applications are also exposed to attack through this library.
This advisory does not address historic or current vulnerabilities in the
HTTP and SOAP processing code of libupnp.
Affected Versions Versions 1.2 (Intel SDK) and 1.2.1a - 1.8.0 (Portable
SDK) are affected by at least three remotely exploitable buffer overflows
in the unique_service_name() function, which is called to process incoming
SSDP requests on UDP port 1900. Additionally, versions prior to 1.6.17 are
vulnerable to additional issues in the same function. Please see Appendix
A for a review of the vulnerable code by version.
Affected Vendors Hundreds of vendors have used the libupnp library in
their products, many of which are acting as the home routers for consumer
networks. Any application linking to libupnp is likely to be affected and
a list of confirmed vendors and products is provided in Appendix B.
Additional details may be found in a paper and advisory from Rapid7.
Impact
A remote, unauthenticated attacker may be able to execute arbitrary code on
the device or cause a denial of service.
Solution
Apply an Update
libupnp 1.6.18 has been released to address these vulnerabilities.
Restrict Access
Deploy firewall rules to block untrusted hosts from being able to access port
1900/udp.
Disable UPnP
Consider disabling UPnP on the device if it is not absolutely necessary.
Vendor Information (Learn More)
We attempted to notify more than 200 vendors identified by Rapid7 as running
libupnp. The following list includes vendors who responded to our notification
and vendors for whom we had existing security contact information.
Vendor Status Date Notified Date Updated
Cisco Systems, Inc. Affected 13 Dec 2012 29 Jan 2013
Fujitsu Technology Affected 10 Jan 2013 29 Jan 2013
Huawei Technologies Affected 13 Dec 2012 29 Jan 2013
Linksys Affected 13 Dec 2012 29 Jan 2013
NEC Corporation Affected 13 Dec 2012 29 Jan 2013
Siemens Affected 13 Dec 2012 29 Jan 2013
Sony Corporation Affected 13 Dec 2012 29 Jan 2013
Ubiquiti Networks Not Affected 09 Jan 2013 29 Jan 2013
3com Inc Unknown 13 Dec 2012 29 Jan 2013
Axis Unknown 13 Dec 2012 29 Jan 2013
Belkin, Inc. Unknown 13 Dec 2012 29 Jan 2013
D-Link Systems, Inc. Unknown 13 Dec 2012 29 Jan 2013
Debian GNU/Linux Unknown 13 Dec 2012 29 Jan 2013
EMC Corporation Unknown 13 Dec 2012 29 Jan 2013
Geexbox Unknown 11 Jan 2013 29 Jan 2013
ipitomy Unknown 08 Jan 2013 29 Jan 2013
Koukaam Unknown 10 Jan 2013 29 Jan 2013
Logitech Unknown 04 Jan 2013 29 Jan 2013
Motorola, Inc. Unknown 13 Dec 2012 29 Jan 2013
Netgear, Inc. Unknown 13 Dec 2012 29 Jan 2013
orb Networks Unknown 16 Jan 2013 29 Jan 2013
Pantech North America Unknown 13 Dec 2012 29 Jan 2013
Red Hat, Inc. Unknown 04 Dec 2012 29 Jan 2013
SFR Unknown 04 Jan 2013 29 Jan 2013
Sitecom Unknown 04 Jan 2013 29 Jan 2013
SMC Networks, Inc. Unknown 04 Jan 2013 29 Jan 2013
Synology Unknown 13 Dec 2012 29 Jan 2013
Texas Instruments Unknown 13 Dec 2012 29 Jan 2013
TP-Link Unknown 04 Jan 2013 29 Jan 2013
Ubuntu Unknown 04 Dec 2012 29 Jan 2013
Visual Tools Unknown 10 Jan 2013 29 Jan 2013
ZyXEL Unknown 13 Dec 2012 29 Jan 2013
CVSS Metrics (Learn More)
Group Score Vector
Base 10.0 AV:N/AC:L/Au:N/C:C/I:C/A:C
Temporal 8.7 E:H/RL:OF/RC:C
Environmental 6.6 CDP:L/TD:M/CR:M/IR:M/AR:M
References
* http://pupnp.sourceforge.net/
* https://community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play
* https://community.rapid7.com/docs/DOC-2150
* https://community.rapid7.com/servlet/JiveServlet/download/2150-1-16596/SecurityFlawsUPnP.pdf
* http://www.rapid7.com/resources/free-security-software-downloads/universal-plug-and-play-jan-2013.jsp
* http://www.kb.cert.org/vuls/id/357851
* http://opentools.homeip.net/dev-tools-for-upnp
* http://upnp.sourceforge.net/
Credit
Thanks to HD Moore of Rapid7 for reporting this vulnerability, and Tod
Beardsley for coordination support.
This document was written by Jared Allar.
Other Information
CVE IDs: CVE-2012-5958 CVE-2012-5959 CVE-2012-5960 CVE-2012-5961
CVE-2012-5962 CVE-2012-5963 CVE-2012-5964 CVE-2012-5965
Date Public: 29 Jan 2013
Date First Published: 29 Jan 2013
Date Last Updated: 29 Jan 2013
Document Revision: 48
Feedback
If you have feedback, comments, or additional information about this
vulnerability, please send us email.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUQiLAO4yVqjM2NGpAQKOyA/9HrjPBbmB3JwPkPfcSNk+YX6dfOkzg6jg
zBgfSnhPlMhZFmA11d6px6XvEuANUW+EcBu5Ungm0O+R9Sr1hwA+Prl6oPWC+Uqk
T/j4uIMozYjGoj8RMSTX6eDBDEqKXX6WnDFd7CCSekUepS1RqUL6In/3+XJ/kkUA
lmPbgJjyKMG86H/czLopDBYq8lC61Ns/We2SUI8DUDRtYO9/LZh0O91iiQRK0Lmt
ZI8ZuxzT768tUXVyz5n0r7u+n8C17bSQTV23oA+yQ4x0MtU1yMEiM9wbx8F6fTVO
PPdGmiI52Iukrr/fQ20wnuHmCSW5OJYGLfbHo8ESj23Vu53XYbf+JLmCbLRfntUt
NQbxLWbc7+OV7BLPK2a0SxURZw7UlevhsiLLoveZIgihEfWxYeg6sVSS6wGfyj1A
t1wp7DbBmYqhvN6a1CUJBsnmxB4WKLIWPxkKlGitVBkpnMzW8TGcVATgi0c3RCIN
S4iZCXrDFXoReO0xzJcg8mUHk+9WgzDqDg788VxJb2EaEqkdhJGINhh6KCV8H0iX
3uoyy5JruCW4sobKD5Ybn+sq0hyhOmEpCjqhLoNMFoTd+9V/+jIZ5q/1Tz76i5ym
e34PPwCB0a9TsQ4o7JBAcFAc1K1GysNFb7PHD+8lpQqaGH4UaAOrA2En+oXtSq0q
urcOVhECnJ4=
=CWSg
-----END PGP SIGNATURE-----