A new vulnerability has been found in UPnP – the set of network protocols that allows routers, PCs and other devices to easily discover each other on a network.
US-Cert’s Vulnerability Note explains how a specific library (libupnp), used by many UPnP (Universal Plug and Play) implementations in routers, contains multiple buffer overflow vulnerabilities.
These could be used by hackers to remotely discover (and exploit i.e. take over) those routers – security researchers Rapid7 found that the vulnerable library was used by at least 20 million networked devices exposed directly to the internet.
Wikipedia define UPnP as “intended primarily for residential networks without enterprise class devices” i.e. the routers (and WiFi routers) most commonly used by home users are also most likely to incorporate UPnP. Unfortunately, UPnP is often enabled by default – especially (in my experience) on routers provided by ISPs.
Check If Your Router Is Vulnerable – Rapid7 have produced a simple webpage test to check if your router is vulnerable to attack as a result of UPnP being enabled and exposed to the internet. Visit the test page here and press the Scan My Router button – hopefully you should see a message that your router did not respond to a UPnP request from the internet:
A good alternative is the UPnP test page at Gibson Research Corporation here – press the ‘Proceed’ button and accept the ‘mixed security’ warning message (if it appears) then click the ‘GRC Instant UPnP Exposure Test’ button. Hopefully you see a message that your equipment did not respond to the UPnP probes:
What To Do If Your Router Failed The Test(s)? Until router manufacturers provide an update for affected routers (and it may not be possible for you to update an ISP router anyway), the simplest way to fix this vulnerability is to disable UPnP within your router.
Warning: Disabling UPnP may adversely affect streaming or file sharing applications – especially media servers. Weigh up the security risks if you wish to leave it enabled or see the Tech Note below.
To do this you will need to access your router configuration pages – see our guide.
Once in the configuration pages there is no standard place to find the option to enable/disable UPnP – it may come under a section on Firewall, Security or Advanced etc but you may have to search around all sections for it (consult your router’s manual or manufacturer’s website for help if necessary).
Once you find it, change UPnP to ‘Disabled’ or ‘Off’ etc and save your changes if required. Now rerun the above tests again and your router should pass both tests.
[Tech Note: a more complex alternative would be to create new firewall rules to block untrusted hosts from access to the UDP Port 1900 which is used to receive messages broadcast by other UPnP devices. See your router manual for information on firewall rules.]
Software and firmware on routers are not often updated by home users and there is no timescale from manufacturers for updates to fix this vulnerability. UPnP has long been considered a general security risk so this new vulnerability just adds another reason to disable it for best security.