Not exactly  some environmental news, however I thought it was interesting and worth sharing.

Almost all or maybe even all router manufacturers of routers that provide this UPnP functionality use a open source library called libupnp in their router software. However, in early 2013 this library was found to have some defects. Moreover, this library is also used in several vendor network devices, in addition to media streaming and file sharing applications or digital DVRs – so basically in any network connected device, even a lot of printers.

Universal Plug and Play (UPnP) is a set of networking protocols that permits networked devices, such as personal computers, printers, Internet gateways, Wi-Fi access points and mobile devices to seamlessly discover each other’s presence on the network and establish functional network services for data sharing, communications, and entertainment. UPnP is intended primarily for residential networks without enterprise-class devices.

From wikipedia:

In January 2013 the security company Rapid7 in Boston reported on a six-month research programme. A team scanned for signals from UPnP-enabled devices announcing their availability for internet connection. Some 6900 network-aware products from 1500 companies at 81 million IP-addresses responded to their requests. 80% of the devices are home routers, others include printers, webcams and surveillance cameras. Using the UPnP-protocol, many of those devices can be accessed and/or manipulated.

In February 2013, the UPnP forum responded in a press release by recommending to use more recent versions of the used UPnP stacks, and by improving the certification program to include checks to avoid further such issues.

Cisco and LinkSys have released warnings and a list of affected products.

And CERT recommended the following – updated 30 July 2014:

Solution

Apply an Update

libupnp 1.6.18 has been released to address these vulnerabilities.

Restrict Access

Deploy firewall rules to block untrusted hosts from being able to access port 1900/udp.

Disable UPnP

Consider disabling UPnP on the device if it is not absolutely necessary.

Leave a Reply

Your email address will not be published. Required fields are marked *