UPnP networking flaw puts millions of PCs at risk

Common bugs in networking systems are placing PCs, printers and storage devices at risk, according to security researchers.

According to the security team at Rapid7, technology used worldwide in both routers and standard networking equipment is making it possible for hackers to potentially infiltrate approximately 40 million to 50 million devices worldwide.

The vulnerability lies in the standard known as Universal Plug and Play (UPnP). This standard set of networking protocols allows devices such as PCs, printers and Wi-Fi access points to communicate and discover each other's presence. After discovery, devices can be connected through a network in order to share files, printing capability and the Internet.

In a white paper released today, researchers from the security software maker say that while UPnP might make network setup cheaper and more efficient, it harbors a severe security risk.

The paper focuses on programming flaws in common UPnP discovery protocol (SSDP) implementations which can be exploited to crash the service and execute arbitrary code, the exposure of the UPnP control interface (SOAP) on private networks, and programming flaws in both UPnP HTTP and SOAP overall.

Over 80 million unique IPs were identified that responded to UPnP discovery requests from the Internet due to the "misconfiguration" of the UPnP SSDP discovery service across thousands of products. Over 73 percent of all UPnP instances discovered through SSDP were derived from only four software development kits.

In addition, the UPnP SOAP service was found to provides access to device functions that should not be allowed from untrusted networks -- such as opening holes in a firewall.

Rapid7 also says that the two most commonly used UPnP software libraries both contained remotely exploitable vulnerabilities. For example, in the case of the Portable UPnP SDK, "over 23 million IPs are vulnerable to remote code execution through a single UDP packet." A patch has been released, but it will take a long time before this patch is included in vendor products, according to the firm.

The paper states:

In most cases, network equipment that is "no longer shipping" will not be updated at all, exposing these users to remote compromise until UPnP is disabled or the product is swapped for something new. The flaws identified in the MiniUPnP software were fixed over two years ago, yet over 330 products are still using older versions.

The team's findings are below:

The researchers say that over 1,500 vendors and 6,900 products were identified and vulnerable to at least one of these security flaws. Vendors with vulnerable products include Belkin, Linksys and Netgear. These flaws, unless disabled or fixed, could allow hackers access to confidential business files and passwords, or grant them control over devices including printers and webcams remotely.

Chris Wysopal, chief technology officer of security software firm Veracode, told Reuters that the publication of these findings would bring widespread attention to UPnP, commenting:

This definitely falls into the scary category. There is going to be a lot more research on this. And the follow-on research could be a lot scarier.

The firm suggests that in order to combat the possible threat, end users, firms and ISPs should identify and disable any UPnP endpoints within their systems and networks, and be aware that many devices come with UPnP enabled by default.

This story originally appeared at ZDNet's Between the Lines under the headline "Millions of PCs exposed through network bugs, security researchers find."