New Upnp exploit affecting most Asus routers - "UPNproxy: Blackhat Proxies via NAT Injections"

[o-l-a-v]

I read at AndroidCentral that there's been found a huge UPNp exploit, further described by Akami.
It's called "UPnProxy: Blackhat Proxies via NAT Injections".
I haven't found any info on which firmware versions are affected, and can't see anything mentioned in change logs on my routers (AC68U and AC3200).

Anyone got more info?

List on Asus routers affected (Taken from the PDF by Akami):

DSL-AC68R
DSL-AC68U
DSL-N55U
DSL-N55U-B
MTK7620
RT-AC3200
RT-AC51U
RT-AC52U
RT-AC53
RT-AC53U
RT-AC54U
RT-AC55U
RT-AC55UHP
RT-AC56R
RT-AC56S
RT-AC56U
RT-AC66R
RT-AC66U
RT-AC66W
RT-AC68P
RT-AC68R
RT-AC68U
RT-AC68W
RT-AC87R
RT-AC87U
RT-G32
RT-N10E
RT-N10LX
RT-N10P
RT-N10PV2
RT-N10U
RT-N11P
RT-N12
RT-N12B1
RT-N12C1
RT-N12D1
RT-N12E
RT-N12HP
RT-N12LX
RT-N12VP
RT-N13U
RT-N14U
RT-N14UHP
RT-N15U
RT-N16
RT-N18U
RT-N53
RT-N56U
RT-N65R
RT-N65U
RT-N66R
RT-N66U
RT-N66W
SP-AC2015
WL500

Sources:

• Android Central - "This new router exploit is the motivation you need to switch to a mesh solution"
  https://www.androidcentral.com/your-wi-fi-router-probably-vulnerable-new-botnet-exploit
  
• Akami - PDF on "UPnProxy: Blackhat Proxies via NAT Injections"
  https://www.akamai.com/us/en/multim...at-proxies-via-nat-injections-white-paper.pdf

 

[RMerlin]

They claim that the exploit requires WAN access of the service. Thing is, Asuswrt does NOT open UPnP to the WAN, so I have no idea how they can claim it's vulnerable to that exploit...

 

[Ronald Schwerer]

Would turning off UPnP in WAN settings protect an uninfected router?

 

[SwampKracker]

The AndroidCentral article seems to be an advertisement for Google WiFi.

 

[OzarkEdge]

"How to fix it... disable UPnP services on the device."

OE

 

[ColinTaylor]

They claim that the exploit requires WAN access of the service. Thing is, Asuswrt does NOT open UPnP to the WAN, so I have no idea how they can claim it's vulnerable to that exploit...

That's my reading of it as well. It's all based on this assertion:

How Does The NAT Injection Work?
The simple explanation of the vulnerability that lead to NAT injections, is that these devices expose services on their WAN interface that are privileged and meant to only be used by trusted devices on a LAN. Using these exposed services, an attacker is able to inject NAT entries into the remote device, and in some cases, expose machines behind the router while in other cases inject Internet-routable hosts into the NAT table, which causes the router to act as a proxy server.

The Basics:
The information needed to exploit this vulnerability will be initially leaked in the SSDP probe response. Using the Location header, an attacker can get the details needed for communicating with the TCP-enabled UPnP daemon. Details include the port where the daemon is listening, as well as the path that will list device details and service offerings.

But that is simply not true. It seems to assume that the security vulnerabilities detailed by Rapid7 in 2013 can still be exploited and are applicable to Asus routers. Which is not the case.

 

[Sammy2]

RT-AC3100 not listed. RT-AC68U is listed. What about TM-AC1900's? Doesn't not updating the f/w for that model leave TM and Asus vulnerable to legal action?

 

[ColinTaylor]

RT-AC3100 not listed. RT-AC68U is listed.

More proof that this alleged vulnerability is based on outdated obsolete information from 2013? The RT-AC3100 didn't exist until 2015.

 

[daviworld]

I was reading this article earlier this morning.

Seems more like a scare tactic, nothing we already didn't really know. UPnP has been known to be insecure since the early 2000s.

The general advice is still the same, turn off UPnP on the WAN. If you really need the service, use a different router behind your main router.

First thing I do is disable this service on all of my device's, and I haven't really run into an issue not using it all these year's.

Also, a lot of those device's are old. I see my old ac66u on the list, anyway as long as you're practicing good security habit's on your device, you should be fine

Sent from my LG-H830 using Tapatalk

 

[Ronald Schwerer]

I have WAN UPnP turned off in the gui, but checking NVRAM I see"
admin@RT-AC68P:/tmp/home/root# cat /dev/mtd1 | grep -i upnp | grep -i wan

wan0_upnp_enable=0
wan1_upnp_enable=1
wan_upnp_enable=1​

So I'm not sure if it is really off. I don't have dual WAN enabled. FW_RT_AC68P_300438420648

 

[Sammy2]

Looks like wan1 and wan are enabled?

 

[ColinTaylor]

I have WAN UPnP turned off in the gui, but checking NVRAM I see"
admin@RT-AC68P:/tmp/home/root# cat /dev/mtd1 | grep -i upnp | grep -i wan

wan0_upnp_enable=0
wan1_upnp_enable=1
wan_upnp_enable=1​

So I'm not sure if it is really off. I don't have dual WAN enabled. FW_RT_AC68P_300438420648

It's off. wan0_ is your primary WAN interface. wan1_ is the secondary that you aren't using. And wan_ is a temporary variable used by the GUI.

 

[Ronald Schwerer]

It's off. wan0_ is your primary WAN interface. wan1_ is the secondary that you aren't using. And wan_ is a temporary variable used by the GUI.

Thanks. I manually set wan1_upnp_enable=0 and checked again - now all 3 are off.

 

[bsdsource]

These are probably routers that are currently in the wild using old ASUS Firmware. Anyways, good luck if you do use UPNP.

 

[sfx2000]

The Akamai whitepaper is from Oct 2017 - it's a concern for many vendors that still include unpatched versions of the daemon.

IIRC - AsusWRT-RMerlin isn't much at risk for this, and I'm thinking the current mainline build isn't either.

 

[RMerlin]

The Akamai whitepaper is from Oct 2017 - it's a concern for many vendors that still include unpatched versions of the daemon.

IIRC - AsusWRT-RMerlin isn't much at risk for this, and I'm thinking the current mainline build isn't either.

Asus never opened UPnP to the WAN, therefore I question their methodology when they deemed this whole list of Asus routers as vulnerable.

Thanks. I manually set wan1_upnp_enable=0 and checked again - now all 3 are off.

If you don't use Dual WAN then this setting doesn't do anything.

 

[Vexira]

I'm also sure they forgot ai protection exists.

 

[Ronald Schwerer]

Asus never opened UPnP to the WAN, therefore I question their methodology when they deemed this whole list of Asus routers as vulnerable.



If you don't use Dual WAN then this setting doesn't do anything.

I occasionally use dual wan with my Android phone (when my ISP takes a dump). But are you saying the UPnP in Asus f/w WAN settings isn't functional (other than to toggle the settings)?

 

[ColinTaylor]

But are you saying the UPnP in Asus f/w WAN settings isn't functional (other than to toggle the settings)?

UPnP is perfectly functional. He's just pointing out that the router's UPnP service can only be controlled from a device on the LAN, not the WAN. Therefore it's not possible the "hack it" from the internet.

 

[Ronald Schwerer]

UPnP is perfectly functional. He's just pointing out that the router's UPnP service can only be controlled from a device on the LAN, not the WAN. Therefore it's not possible the "hack it" from the internet.

Then it seems like it should be in the LAN settings instead of WAN. Even the nvram setting tag name implies it affects WAN.