__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Universal Plug and Play Vulnerability [US-CERT Vulnerability Note VU#347812] January 17, 2008 19:00 GMT Number S-120 ______________________________________________________________________________ PROBLEM: Multilple vendors ship devices with UPnP enabled by default. By convincing a user to open a malicious URL, an attacker may be able to remotely control or configure UPnP enabled devices. PLATFORM: UPnP DAMAGE: An attacker may be able to remotely control or configure UPnP enabled devices. SOLUTION: At this time, there is no pratical solution to this problem. See the bulletin below for workarounds. ______________________________________________________________________________ VULNERABILITY The risk is LOW. By convincing a user to open a malicious URL, ASSESSMENT: an attacker may be able to remotely control or configure UPnP enabled devices. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/s-120.shtml ORIGINAL BULLETIN: http://www.kb.cert.org/vuls/id/347812 ______________________________________________________________________________ [***** Start US-CERT Vulnerability Note VU#347812 *****] Vulnerability Note VU#347812 UPnP enabled by default in multiple devices Overview Multiple vendors ship devices with UPnP enabled by default. By convincing a user to open a malicious URL, an attacker may be able to remotely control or configure UPnP enabled devices. I. Description Universal Plug and Play (UPnP) is a collection of protocols maintained and distributed by the UPnP Forum. UPnP is designed to allow network devices to easily connect to each other. UPnP enabled applications may be able to control other UPnP enabled devices such as firewalls or routers automatically and without authentication. Some applications may rely on UPnP to automatically open ports on routers or automatically set other parameters on compatible devices. Multiple vendors ship devices with UPnP enabled by default. These devices may be configured to only listen for UPnP requests on local networks or wireless interfaces. By using browser plugins that execute in the context of the local system, an attacker may be able to send UPnP messages to local devices without authentication. One researcher has demonstrated an attack vector that uses the Adobe Flash plugin. Note that to successfully exploit this vulnerability an attacker would need to be able to guess the IP address of an affected device. This IP address may also be enumerated through browser headers or other methods. II. Impact By convincing a victim to click on a link in an HTML document (web page, HTML email), an attacker could issue any command or change any configuration that can be set via UPnP on an affected device. If the affected device is providing routing or firewalling services to clients, an attacker may be able to change firewall and port forwarding rules, modify DNS settings, change wireless encryption keys, or set arbitrary administration passwords. III. Solution We are currently unaware of a practical solution to this problem. Workarounds for administrators UPnP should be disabled on devices that are being use to enforce security policies or are connected to untrusted networks, such as the Internet. Filtering the IGMP protocol between LAN segments may prevent UPnP devices from connecting to networks that they are not authorized to access. Workarounds for users Disabling UPnP on network devices will mitigate this vulnerability. Note that disabling UPnP will cause any devices or applications that rely on UPnP to fail or operate with reduced functionality. Disabling UPnP in desktop operating systems may prevent an attacker from exploiting this vulnerability. Microsoft Windows XP users should see the workarounds section of Microsoft Security Bulletin MS07-019 for instructions on how to disable UPnP. Using the Mozilla Firefox NoScript extension to whitelist web sites that can run scripts and access installed plugins may prevent this vulnerability from being exploited. Using host-based firewalls to filter ports 1900/udp and 2869/tcp both inbound and outbound may prevent this vulnerability from being exploited by blocking the ports that UPnP uses. Note that the Windows Vista firewall blocks UPnP by default. This workaround may not be able to prevent exploitation of this vulnerability. Systems Affected Vendor Status Date Updated 3com, Inc. Unknown 15-Jan-2008 Alcatel Unknown 15-Jan-2008 Apple Computer, Inc. Unknown 15-Jan-2008 AT&T Unknown 15-Jan-2008 Avaya, Inc. Unknown 15-Jan-2008 Avici Systems, Inc. Unknown 15-Jan-2008 Borderware Technologies Unknown 15-Jan-2008 Bro Unknown 15-Jan-2008 CentOS Unknown 15-Jan-2008 Charlotte's Web Networks Unknown 15-Jan-2008 Check Point Software Technologies Unknown 15-Jan-2008 Cisco Systems, Inc. Unknown 15-Jan-2008 Clavister Unknown 15-Jan-2008 Computer Associates Unknown 15-Jan-2008 Computer Associates eTrust Security Management Unknown 15-Jan-2008 Conectiva Inc. Unknown 15-Jan-2008 Cray Inc. Unknown 15-Jan-2008 D-Link Systems, Inc. Unknown 15-Jan-2008 Data Connection, Ltd. Unknown 15-Jan-2008 Debian GNU/Linux Unknown 15-Jan-2008 EMC Corporation Unknown 15-Jan-2008 Engarde Secure Linux Unknown 15-Jan-2008 Enterasys Networks Unknown 15-Jan-2008 Ericsson Unknown 15-Jan-2008 eSoft, Inc. Unknown 15-Jan-2008 Extreme Networks Unknown 15-Jan-2008 F5 Networks, Inc. Unknown 15-Jan-2008 Fedora Project Unknown 15-Jan-2008 Force10 Networks, Inc. Unknown 15-Jan-2008 Fortinet, Inc. Unknown 15-Jan-2008 Foundry Networks, Inc. Unknown 15-Jan-2008 FreeBSD, Inc. Unknown 15-Jan-2008 Fujitsu Unknown 15-Jan-2008 Gentoo Linux Unknown 15-Jan-2008 Global Technology Associates Unknown 15-Jan-2008 Hewlett-Packard Company Unknown 15-Jan-2008 Hitachi Unknown 15-Jan-2008 Hyperchip Unknown 15-Jan-2008 IBM Corporation Unknown 15-Jan-2008 IBM Corporation (zseries) Unknown 15-Jan-2008 IBM eServer Unknown 15-Jan-2008 Ingrian Networks, Inc. Unknown 15-Jan-2008 Intel Corporation Unknown 15-Jan-2008 Internet Security Systems, Inc. Unknown 15-Jan-2008 Intoto Unknown 15-Jan-2008 IP Filter Unknown 15-Jan-2008 Juniper Networks, Inc. Unknown 15-Jan-2008 Linksys (A division of Cisco Systems) Unknown 15-Jan-2008 Lucent Technologies Unknown 15-Jan-2008 Luminous Networks Unknown 15-Jan-2008 m0n0wall Unknown 15-Jan-2008 Mandriva, Inc. Unknown 15-Jan-2008 McAfee Unknown 15-Jan-2008 Microsoft Corporation Unknown 15-Jan-2008 MontaVista Software, Inc. Unknown 15-Jan-2008 Multinet (owned Process Software Corporation) Unknown 15-Jan-2008 Multitech, Inc. Unknown 15-Jan-2008 NEC Corporation Unknown 15-Jan-2008 NetBSD Unknown 15-Jan-2008 netfilter Unknown 15-Jan-2008 Netgear, Inc. Unknown 15-Jan-2008 Network Appliance, Inc. Unknown 15-Jan-2008 NextHop Technologies, Inc. Unknown 15-Jan-2008 Nokia Unknown 15-Jan-2008 Nortel Networks, Inc. Unknown 15-Jan-2008 Novell, Inc. Unknown 15-Jan-2008 OpenBSD Unknown 15-Jan-2008 Openwall GNU/*/Linux Unknown 16-Jan-2008 QNX, Software Systems, Inc. Unknown 15-Jan-2008 RadWare, Inc. Unknown 15-Jan-2008 Red Hat, Inc. Unknown 15-Jan-2008 Redback Networks, Inc. Unknown 15-Jan-2008 Riverstone Networks, Inc. Unknown 15-Jan-2008 Secure Computing Network Security Division Unknown 15-Jan-2008 Secureworx, Inc. Unknown 15-Jan-2008 Silicon Graphics, Inc. Unknown 15-Jan-2008 Slackware Linux Inc. Unknown 15-Jan-2008 SmoothWall Unknown 15-Jan-2008 Snort Unknown 15-Jan-2008 Sony Corporation Unknown 15-Jan-2008 Sourcefire Unknown 15-Jan-2008 Stonesoft Unknown 15-Jan-2008 Sun Microsystems, Inc. Unknown 15-Jan-2008 SUSE Linux Unknown 15-Jan-2008 Symantec, Inc. Unknown 15-Jan-2008 The SCO Group Unknown 15-Jan-2008 TippingPoint, Technologies, Inc. Not Vulnerable 16-Jan-2008 Trustix Secure Linux Unknown 15-Jan-2008 Turbolinux Unknown 15-Jan-2008 Ubuntu Unknown 15-Jan-2008 Unisys Unknown 15-Jan-2008 Watchguard Technologies, Inc. Unknown 15-Jan-2008 Wind River Systems, Inc. Unknown 15-Jan-2008 ZyXEL Unknown 15-Jan-2008 References http://www.upnp.org/ http://www.upnp.org/download/UPnP_Vendor_Implementation_Guide_Jan2001.htm http://www.upnp.org/membership/members.asp http://www.gnucitizen.org/blog/hacking-the-interwebs http://windowshelp.microsoft.com/Windows/en-US/Help/32f3845b-eda0-4168-be8d-90f07250d8101033.mspx http://www.microsoft.com/technet/security/Bulletin/MS07-019.mspx http://www.us-cert.gov/reading_room/securing_browser/ http://noscript.net/features#contentblocking http://linux-igd.sourceforge.net/ http://www.shorewall.net/UPnP.html Credit Information about this vulnerability was released by PDP on the GNUCITIZEN website. This document was written by Ryan Giobbi. Other Information Date Public 01/15/2008 Date First Published 01/15/2008 01:47:51 PM Date Last Updated 01/16/2008 CERT Advisory CVE Name Metric 9.83 Document Revision 52 [***** End US-CERT Vulnerability Note VU#347812 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of US-CERT for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) S-110: OpenAFS Vulnerability S-111: HP OpenView Operations (OVO) Agents Running Shared Trace Service Vulnerability S-112: SSH Tectia Client and Server Vulnerability S-113: Tog-Pegasus Security Update S-114: Dovecot Vulnerability S-115: AOL Radio AOLMediaPlaybackControl.exe Vulnerability S-116: HP-UX Running X Font Server (xfs) Software S-117: Oracle Critical Patch Update - January 2008 S-118: Apache httpd Vulnerabilities S-119: apt-listchanges Vulnerability