SECURITY ALERT: Universal Plug and Play Vulnerability

Category: Security

Security research firm Rapid7 has identified a serious vulnerability in networking software known as Universal Plug and Play (UPnP). This UPnP component is installed in almost every network router, and is present in the Windows and Mac OS X operating systems. If your router or computer is exposed, you MUST take action to avoid the possibility of hacker attacks. Here's what you need to know, in simple terms...

What is the UPnP Security Vulnerability?

Without getting too technical, UPnP is a software component that is used by many computers, internet routers, and networkable devices. Its purpose is to make it easy to discover, connect and access networked devices such as computers, printers, webcams, DVRs, mobile devices and security systems. But serious flaws in the UPnP software makes it possible for hackers to access, disable, take over or generally wreak havoc with exposed devices using UPnP.

Because UPnP allows certain network requests to pass through your firewall, hackers could potentially access any file on vulnerable computers, steal passwords, or use compromised computers to launch other sorts of attacks. The problem is NOT limited to Windows computers. The Mac OS X and some Linux operating systems use this same Universal Plug and Play software component. For more technical details, see the US-CERT Vulnerability Note VU#922681.

UPnP Vulnerability

The folks at Rapid7 ran some tests and found that 40-50 million networked devices are vulnerable to these UPnP flaws. The good news is that an updated version of the UPnP software known as libupnp is available. The bad news is that end users can't simply apply this patch. The updated libupnp software must be integrated by software and hardware developers into the affected systems and devices. And that could take weeks or months.

So it's important that you run a few simple tests to find out if your computer, router or networked devices are vulnerable to UPnP attacks. And if so, it's essential that you take action to protect yourself.

Checking For UPnP Vulnerabilities

You can run the Rapid7 Router Security Check to test your router and determine whether it is vulnerable to external attack from the Internet. If your router is NOT vulnerable, you'll see "Congratulations! Your router did not respond to a UPnP discovery request."

To check for internal exposure, Windows users can download Rapid7's free ScanNow for UPnP tool. (Linux users should use the Metasploit tool instead. Mac users, look here for instructions on using Metasploit on Mac OS X.) After ScanNow completes, skip to the bottom of the page and look at the Overview of Results section. If it shows a zero under Exploitable, you're in good shape.

If these two checks show no vulnerabilities, you don't need to do anything further. However, if a vulnerabilty is present, you need to turn off UPnP in your router.

NOTE: You may recall that about two weeks ago I sent out an alert on a serious Java Security problem, and advised users to remove or disable Java. As it happens, the ScanNow tool requires Java. So if the ScanNow software won't run because you've uninstalled Java, I suggest that you re-install Java in order to run ScanNow, and then uninstall Java again, afterwards.

Unfortunately, it's not possible for me to give simple instructions on how to accomplish that task. There are dozens of router manufacturers, and they all use different interfaces and terminology in their configuration screens. The folks at US-CERT (the US Department of Homeland Security's Computer Emergency Readiness Team) have compiled a list of router vendors, along with links to further information provided by those vendors for dealing with the UPnP security issue. If instructions for your router are not found there, and your router was supplied or installed by your Internet Service Provider, I suggest you contact them for assistance with updating your router settings. If you purchased and installed your own router, my best advice is to search the web for "disable upnp on XYZ router", where XYZ is the router manufacturer.

If you're running Windows, I also recommend that you turn off the UPnP services that are enabled and running by default on most Windows systems. To do so:

  • Click Start, type services.msc in the search box, hit enter
  • In the services list, find SSDP Discovery
  • Double click it to open the Properties panel.
  • Set Startup Type to Disabled
  • Click the Stop button under Services Status.

You may see a message that this will also stop the "UPnP Device Host" service. That's fine. I do want to give a caveat here... After reading everything I could find about this UPnP issue, I'm not 100% sure that disabling these Windows services is absolutely necessary. But I'm reasonably sure that it can't hurt. If something doesn't work after doing so, you can undo those changes easily.

Do you have any addtional information on the UPnP vulnerability? Post your comment or question below...

 
Ask Your Computer or Internet Question

  (Enter your question in the box above.)

It's Guaranteed to Make You Smarter...

AskBob Updates: Boost your Internet IQ & solve computer problems.
Get your FREE Subscription!


Email:

Check out other articles in this category:



Link to this article from your site or blog. Just copy and paste from this box:

This article was posted by on 31 Jan 2013


For Fun: Buy Bob a Snickers.

Prev Article:
Geekly Update - 30 January 2013

The Top Twenty
Next Article:
Do You Need Mobile Security Protection?

Most recent comments on "SECURITY ALERT: Universal Plug and Play Vulnerability"

(See all 26 comments for this article.)

Posted by:

Darcetha
31 Jan 2013

I'm a faithful reader of your Geekly Updates and appreciate the useful information. I ran the Rapid7 Security Router test, thankfully, my router was safe.

Also, I turned off Windows UPnP services, so hopefully, I will be safer when surfing the internet. Thanks for helping us mere mortals, like myself, feel more confident when using our computer. :)


Posted by:

D.V.N.sarma
31 Jan 2013

What does this Rapid7 message mean?

{green tick] Congratulations! Your router did not respond to a UPnP discovery request.

EDITOR'S NOTE: That means your router is not vulnerable, which is good!


Posted by:

Dave Roche
31 Jan 2013

Just checked my ZyXel P-660HW-T1 v2 Router and found the UPnP default setting is set to off. You had me worried for a moment.


Posted by:

Chris
31 Jan 2013

I clicked on the link for Metasploit but it appears that Metasploit is only available for Windows and Linux.


Posted by:

Ed
31 Jan 2013

Does this issue affect DSL Modem devices?
My Westell 7500 Router is not in the device list.


Posted by:

Steve Brooks
31 Jan 2013

Thanks, Bob! I ran the ScanNow for UPnP and I had no vulnerabilities!

What's next now? Maybe we should just turn off our computers and go to the next level of technology, but wait, that will probably be comprised if even sooner than it took for our present technology to take place...sigh!


Posted by:

Bob Levy
31 Jan 2013

If I stop the Windows SSDP Discovery, Then I bet the USB devices I constantly plug and unplug would create more of a problem?

I use kindle and android as well as lots of external USB drives!
This would be interesting if I needed to start and stop the service for local PnP devices.


Posted by:

Mark Jacobs
31 Jan 2013

There's a catch 22 with the UnPNP scanner. It requires Java and Java itself poses almost as much a threat as UnPNP. The online checker works fine. You might want to mention this to your readers. My boss (Leo Notenboom) suggests staying away even from patched versions of Java as problems keep coming up.

EDITOR'S NOTE: I addressed the Java issue in a special note on the page. Apparently people are not noticing it, since I got this same comment from several readers. Look for the yellow boxed note.


Posted by:

Raymond Combs
31 Jan 2013

Disabled UPnP in services as shown. Immediately was told that my Win 7 needed to be registered within two days!!! The regular Windows "pop-up" appeared - register now or later! I went back and turned SSDP back to manual, and no more "registering" needed!

EDITOR'S NOTE: That's odd. Are you using an unregistered version of Windows? (If so, that's a problem.)


Posted by:

Catherine
31 Jan 2013

Thank you so much for always alerting us and looking out for us when things like this happen! I really appreciate the fact that you realize there are us "newbies" out here and explain exactly how to do something. You're the best Bob!


Posted by:

Saltydog Nelson
31 Jan 2013

Hi,
I ran the Rapid 7 router security check and apparently have no problems with UPnP. However, it did install a large number of files on my system in the process. Inctrl5 shows 129 files added in various directories. It also showed quite a few registry entries added to my system.


Posted by:

Stuart Berg
31 Jan 2013

For many, many years (probably 15 or more) Steve Gibson of Gibson Research Corporation has warned about the dangers of UPnP and has even provided a free simple program to turn it "off" or "on" at
http://www.grc.com/UnPnP/UnPnP.htm
That webpage has a very thorough discussion of the problem.

EDITOR'S NOTE: I'm aware of that page. However, it was written in 2001, and includes no mention of the greater problem, which is the router vulnerability.


Posted by:

Blacksmith
01 Feb 2013

Thanks for the tip off Bob. I installed JAVA to run the checks then uninstalled it.I'm running WinXP SP3 on a fairly old machine with a 3 year old router so was pleasantly surprised to pass the tests!


Posted by:

Russell Coover
01 Feb 2013

I passed the Router test, but I'm not going to install Java RTE to get ScanNow for UPnP to work. Perhaps there is another way?

EDITOR'S NOTE: Maybe Metasploit. I have not tried it to see if it needs Java.


Posted by:

Sheri
01 Feb 2013

Unlike some, Rapid 7's router scanner completed sucessfully in about a minute when I ran it. And thankfully, it said Congratulations...... :-)


Posted by:

Hal
01 Feb 2013

Thanks for this great article, Bob. Ran both tests with no difficulty and no problems found, so good news there. Can't believe someone would think you would advise your readers to use a program containing malware of any kind. Always find your info useful and reliable. Much appreciated.


Posted by:

Gerrysea
01 Feb 2013

Hi Bob. Thanks for the heads-up on this one, once again proving the value of your newsletter.

I Got the congrat's message from the 'Router Scanner' so that looked OK? But the scanNow result showed "Exploitable" (Red cross) '0' and "Identified" (Green tick) '5'. The result details listed all networked equipment; Three PC's, Laptop, printer and the "Router/Hub". All of these were listed by IP address with a red 'X' and '0' under the heading 'Exploitable', and under 'Status' each IP address (including the "Router/Hub") has a Green Tick followed by the word 'Identified'.

In your post you state " If it shows zeros under both Exploitable and Identified, you're in good shape"?

So under Status; what does the 'Green Tick followed by the word 'Identified' indicate? If the lack of a zero here means all is not well, then it would appear that the two Rapid7 checks are giving contradictory results. Your advice would be gratefully appreciated, Bob.

EDITOR'S NOTE: I should have said that if none are Exploitable, you're okay.



Posted by:

Risden
01 Feb 2013

No problem whatsoever with Rapid7 Router Security Check: "Congratulations..." received. No problem with ScanNow for UPnP, but it identified one vulnerability. Just contacted my ISP and got directed to their webpage whereby I can access the "ins" and "outs" of my settings. Found UPnP with no problem. Your directions for all this and for the "UPnP Device Host" service were easy to follow and execute. Thanks again for your help!


Posted by:

Lucy
01 Feb 2013

Thanks Bob for this timely warning. I have run both tests, and I did have to temporarily enable JAVA, and I got good reports. Is this security check something I should run regularly, or after adding any new peripheral, or is this one check sufficient?

EDITOR'S NOTE: If your router is okay, I wouldn't worry further about it.


Posted by:

souprman
18 Feb 2013

Rapid7 secouity router check would not work on my new WD Mynet1300ac router. After 5 min of that gear turning I cancelled the test.
Now What???


There's more reader feedback... See all 26 comments for this article.

Post your Comments, Questions or Suggestions

*     *     (* = Required field)

    (Your email address will not be published)
(you may use HTML tags for style)

YES... spelling, punctuation, grammar and proper use of UPPER/lower case are important! And please limit your remarks to 3-4 paragraphs. If you want to see your comment posted, pay attention to these items.

All comments are previewed, and may be edited before posting.

NOTE: Please, post comments on this article ONLY.
If you want to ask a question click here.

Free Tech Support -- Ask Bob Rankin
RSS   Add to My Yahoo!   Feedburner Feed
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005 - Bob Rankin - All Rights Reserved
Privacy Policy -- See my profile on Google.
[an error occurred while processing this directive]


Article information: AskBobRankin -- SECURITY ALERT: Universal Plug and Play Vulnerability (Posted: 31 Jan 2013)
Source: http://askbobrankin.com/security_alert_universal_plug_and_play_vulnerability.html
Copyright © 2005 - Bob Rankin - All Rights Reserved