Menu
What's new
By:
Filters Better Search

A 100,000-router botnet is feeding on a 5-year-old UPnP bug in Broadcom chips

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

microchip

microchip

Very Senior Member
Researchers from Netlab 360, reported the mass infection late last week, have dubbed the botnet BCMUPnP_Hunter. The name is a reference to a buggy implementation of the Universal Plug and Play protocol built into Broadcom chipsets used in vulnerable devices. An advisory released in January 2013 warned that the critical flaw affected routers from a raft of manufacturers, including Broadcom, Asus, Cisco, TP-Link, Zyxel, D-Link, Netgear, and US Robotics. The finding from Netlab 360 suggests that many vulnerable devices were allowed to run without ever being patched or locked down through other means.
Click to expand...

https://arstechnica.com/information...g-on-a-5-year-old-upnp-bug-in-broadcom-chips/

Patch status is still currently unknown from ASUS, I was not able to find any more info from their official channels. If anyone else knows, please chime in.

Another reason to disable UPnP and not look back.
 
your router is a hidden terminator :p
People really need to realise that routers can be vulnerable crappy pieces of hardware, they should hold manufacturers to a higher standard. Cars have NCAP, what do routers have :'( ?
 
SMS786 said:
Patch status is still currently unknown from ASUS, I was not able to find any more info from their official channels. If anyone else knows, please chime in.
Click to expand...
Read the original article. This only applies to ancient devices that were running Broadcom's UPnP stack. This is not applicable to Asuswrt (which uses miniupnpd).
 
Last edited:
SMS786 said:
Patch status is still currently unknown from ASUS, I was not able to find any more info from their official channels. If anyone else knows, please chime in.
Click to expand...

Asus does not use Broadcom's UPnP, so there is nothing for them to patch.
 
Getting a fair amount of UDP traffic on the WAN side from private addresses lately...

(should never see this on the WAN side - traffic from 192.168.0.0/16, 172.16.0.0/12, or 10.0.0.0/8 - might be useful to some to install an iptables rule on the WAN interface to just drop any traffic from those ranges

see below - AA.B.CCC.DDD is my WAN address...

Code: 
Time            Source    Rule                                              Source                  Dest                  Proto
===============|=========================================================|=======================|=====================|===
Nov 16 14:40:51    WAN    Block ULA networks from WAN block fc00::/7 (12000)      192.168.62.11:37310      AA.B.CCC.DDD:35994    UDP
Nov 16 14:40:51    WAN    Block ULA networks from WAN block fc00::/7 (12000)      192.168.62.10:46267      AA.B.CCC.DDD:39488    UDP
Nov 16 14:40:54    WAN    Block ULA networks from WAN block fc00::/7 (12000)      192.168.62.11:37310      AA.B.CCC.DDD:35994    UDP
Nov 16 14:40:54    WAN    Block ULA networks from WAN block fc00::/7 (12000)      192.168.62.10:46267      AA.B.CCC.DDD:39488    UDP
Nov 16 14:40:57    WAN    Block ULA networks from WAN block fc00::/7 (12000)      192.168.62.11:37310      AA.B.CCC.DDD:35994    UDP
Nov 16 14:40:57    WAN    Block ULA networks from WAN block fc00::/7 (12000)      192.168.62.10:46267      AA.B.CCC.DDD:39488    UDP
Nov 16 14:41:00    WAN    Block ULA networks from WAN block fc00::/7 (12000)      192.168.62.11:37310      AA.B.CCC.DDD:35994    UDP
Nov 16 14:41:00    WAN    Block ULA networks from WAN block fc00::/7 (12000)      192.168.62.10:46267      AA.B.CCC.DDD:39488    UDP
Nov 16 14:41:03    WAN    Block ULA networks from WAN block fc00::/7 (12000)      192.168.62.11:37310      AA.B.CCC.DDD:35994    UDP
Nov 16 14:41:03    WAN    Block ULA networks from WAN block fc00::/7 (12000)      192.168.62.10:46267      AA.B.CCC.DDD:39488    UDP
Nov 16 14:41:06    WAN    Block ULA networks from WAN block fc00::/7 (12000)      192.168.62.11:37310      AA.B.CCC.DDD:35994    UDP
Nov 16 14:41:06    WAN    Block ULA networks from WAN block fc00::/7 (12000)      192.168.62.10:46267      AA.B.CCC.DDD:39488    UDP
 
You must log in or register to reply here.
Similar threads
Thread starter Title Forum Replies Date
O US lawmakers urge probe of WiFi router maker TP-Link over fears of Chinese cyber attacks General Network Security 14
J CSA rates router security and lifespan General Network Security 5
M How to prevent being hacked again - Router & devices? 😢 General Network Security 24
J Are you thinking about a Totolink router? General Network Security 1
PR3MIUM News Mirai DDoS malware variant expands targets with 13 router exploits [D-Link, TP-Link Archer, Yealink, Zyxel...] General Network Security 10
J Could a router be hacked from WAN end if firmware always up to date, no portwarding, no upnp and wifi disabled. General Network Security 5

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 821 (members: 26, guests: 795)
Top