UPnP buggy on most home routers

Not exactly  some environmental news, however I thought it was interesting and worth sharing.

Almost all or maybe even all router manufacturers of routers that provide this UPnP functionality use a open source library called libupnp in their router software. However, in early 2013 this library was found to have some defects. Moreover, this library is also used in several vendor network devices, in addition to media streaming and file sharing applications or digital DVRs – so basically in any network connected device, even a lot of printers.

Universal Plug and Play (UPnP) is a set of networking protocols that permits networked devices, such as computers, printers, Internet gateways, Wi-Fi access points and mobile devices to seamlessly discover each other's presence on the network and establish functional network services for data sharing, communications, and entertainment. UPnP is intended primarily for residential networks without enterprise-class devices.

From wikipedia:

In January 2013 the security company Rapid7 in Boston reported on a six-month research programme. A team scanned for signals from UPnP-enabled devices announcing their availability for internet connection. Some 6900 network-aware products from 1500 companies at 81 million IP-addresses responded to their requests. 80% of the devices are home routers, others include printers, webcams and surveillance cameras. Using the UPnP-protocol, many of those devices can be accessed and/or manipulated.

In February 2013, the UPnP forum responded in a press release by recommending to use more recent versions of the used UPnP stacks, and by improving the certification program to include checks to avoid further such issues.

Cisco and LinkSys have released warnings and a list of affected products.

And CERT recommended the following – updated 30 July 2014:

Solution

Apply an Update

libupnp 1.6.18 has been released to address these vulnerabilities.

Restrict Access

Deploy firewall rules to block untrusted hosts from being able to access port 1900/udp.

Disable UPnP

Consider disabling UPnP on the device if it is not absolutely necessary.

Leave a Reply

Related Posts

Another year, another COP. What will be the results? At this stage more questions than answers.
World leaders gathering for the 28th Conferences of the Parties (COPs) in a milestone moment as nations for the first time formally review progress since the Paris Agreement 2015.
When a building is demolished and rebuilt, it results in what can be termed as ‘double emissions’. This is because two sets of construction materials are required – one for the original building and another for the new structure.
We are doing composting to add nutrients to the soil, adding microbes and attracting worms, providing a healthy soil that has good moisture retention and grows healthy and strong plants, it’s all about soil health.
The Green Building Council did commission a report to explore the embodied carbon of New Zealand’s buildings and potential reduction potentials. Obviously, buildings may vary greatly in their embodied carbon but this is some average assumptions.
A little car with lots of potential and a cult community – for good reasons. They are efficient and keep going, easy care and maintenance. And now they prove to be future proof as well as they can simply be