UPnP: Actual security risks of allowing ports below 1024.

[reerden]

I have a few applications that need to forward ports below 1024 through UPnP. I would like to know if there are any actual security risks involved with allowing that? Does it really matter if a computer is compromised what ports it can open and not?

 

[AdvHomeServer]

https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers

Ports are ports. There's nothing magical except some are used for certain functions, 80 and 443 being two obvious examples. An open and forwarded port is a vulnerability, especially if UPnP controls the door. Assume a program that asks for an open port, which UPnP agrees too. That program turns out to be a security mess that a hacker trainee could breech. You lose.

Any time you have an open and forwarded / listening port, you need to know about it and accept the risk, mitigating it as best you can. Sometimes it's just keeping the software behind the open port updated, such as OpenVPN server if a vulnerability is discovered. Some ports are PROBABLY ok if open, such as those normally associated with a slingbox. I never see attacks on those ports. I'm guessing the linux heritage of the slingbox and the lack of anything valuable to steal makes them low on the hacker hit-list. If port 22 is open and you have no certificate covering SSH access, you are facing uncertainty.

I have no hacker skills. This makes me even more cautious about risks, since they are all 100 foot tall boogymen to me. I'm even more concerned about the risks yet to be discovered than the ones reported today and in the past.

PS I'm writing a new a article about things that seemed like a good idea but weren't. This reply will end up as a bullet point in it. Thanks for asking the question.

 

[reerden]

https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers

Ports are ports. There's nothing magical except some are used for certain functions, 80 and 443 being two obvious examples. An open and forwarded port is a vulnerability, especially if UPnP controls the door. Assume a program that asks for an open port, which UPnP agrees too. That program turns out to be a security mess that a hacker trainee could breech. You lose.

Any time you have an open and forwarded / listening port, you need to know about it and accept the risk, mitigating it as best you can. Sometimes it's just keeping the software behind the open port updated, such as OpenVPN server if a vulnerability is discovered. Some ports are PROBABLY ok if open, such as those normally associated with a slingbox. I never see attacks on those ports. I'm guessing the linux heritage of the slingbox and the lack of anything valuable to steal makes them low on the hacker hit-list. If port 22 is open and you have no certificate covering SSH access, you are facing uncertainty.

I have no hacker skills. This makes me even more cautious about risks, since they are all 100 foot tall boogymen to me. I'm even more concerned about the risks yet to be discovered than the ones reported today and in the past.

PS I'm writing a new a article about things that seemed like a good idea but weren't. This reply will end up as a bullet point in it. Thanks for asking the question.

But that's kind off the point why I'm asking this. I see no reason why a program that uses a port above 1024 can not have more vulnerabilities than a program that uses a port below 1024.

My problem is that I have several game consoles that list several ports below 1024 for port forwarding. I need to use UPnP as they auto negotiate alternative ports when one console is already using them, so manual port forwarding is not an option.

I saw many posts about forwarding ports below 1024 and most people never questioned the security impact when setting the internal minimal port to 1. I have used this setting for quite a while, but I was wondering if there were security implications.

 

[ColinTaylor]

My problem is that I have several game consoles that list several ports below 1024 for port forwarding. I need to use UPnP as they auto negotiate alternative ports when one console is already using them, so manual port forwarding is not an option.

Have a look at System Log > Port Forwarding whilst using your consoles to see what ports are actually being used.

Most of the information on the web about port forwarding for consoles is entirely incorrect. For example, many sites tell you to "forward" ports 53 and 80 which is obviously nonsense. What they should be saying is don't block outgoing traffic on port 53 and 80 (which you won't be doing unless you're connected to a corporate LAN).

 

[Jong]

I guess you are removing one line of defence. If you don't have a good firewall on your PCs/servers and/or misconfigure basic services, that setting can protect you. Provided you are sure you know everything that is going to open ports and you trust them then you are fine.

 

[reerden]

Have a look at System Log > Port Forwarding whilst using your consoles to see what ports are actually being used.

Well that doesn't work. I've tested this in the past and when the default port is in use by the other console, the second console chooses a random port that can change all the time.

Even if it doesn't, it still throws up an error message when UPnP isn't functioning and rejects incoming connections, regardless if the port is forwarded or not. So UPnP is always a must unless the default port can be used.

Most of the information on the web about port forwarding for consoles is entirely incorrect. For example, many sites tell you to "forward" ports 53 and 80 which is obviously nonsense. What they should be saying is don't block outgoing traffic on port 53 and 80 (which you won't be doing unless you're connected to a corporate LAN).

They list it on the official help page for the Xbox: http://support.xbox.com/en-us/xbox-one/networking/network-ports-used-xbox-live

Xbox Live requires the following ports to be open:

• Port 88 (UDP)
• Port 3074 (UDP and TCP)
• Port 53 (UDP and TCP)
• Port 80 (TCP)
• Port 500 (UDP)
• Port 3544 (UDP)
• Port 4500 (UDP)

How can I know for sure what port is incoming and outgoing if this list is incorrect? I've also noticed that some games tend to use different ports than others.

 

[Nullity]

Those must be outgoing. They are asking that you allow packets destined to those external ports to leave your network.

No sane person would require a gamer to have those ports listening for incoming packets.


Edit: For UPNPd to get access to the gateway's priveleged ports UPNPd would have be ran as root, which is batshit crazy. (or not)

 

[Nullity]

Well that doesn't work. I've tested this in the past and when the default port is in use by the other console, the second console chooses a random port that can change all the time.

Even if it doesn't, it still throws up an error message when UPnP isn't functioning and rejects incoming connections, regardless if the port is forwarded or not. So UPnP is always a must unless the default port can be used.



They list it on the official help page for the Xbox: http://support.xbox.com/en-us/xbox-one/networking/network-ports-used-xbox-live



How can I know for sure what port is incoming and outgoing if this list is incorrect? I've also noticed that some games tend to use different ports than others.

That page is confusing...

The only part that seems to clarify is "You may have to make a configuration change to your firewall or network hardware, such as a router, for your Xbox One console to communicate with Xbox Live."

Their ports need to be open for you to connect to them (and you need to allow those packets out).

They do not need to connect to you.

Er, a TCP connection starts with a handshake. They keep their hands open, not you.

 

[reerden]

Those must be outgoing. They are asking that you allow packets destined to those external ports to leave your network.

No sane person would require a gamer to have those ports listening for incoming packets.


Edit: For UPNPd to get access to the gateway's priveleged ports UPNPd would have be ran as root, which is batshit crazy. (or not)

Seems to be the case. I looked at their actual help forum and one of their community guys posted that only 3074 needs to be forwarded. So I put the setting back to 1024 for internal allowed ports.

That page is confusing...

The only part that seems to clarify is "You may have to make a configuration change to your firewall or network hardware, such as a router, for your Xbox One console to communicate with Xbox Live."

Their ports need to be open for you to connect to them (and you need to allow those packets out).

They do not need to connect to you.

Er, a TCP connection starts with a handshake. They keep their hands open, not you.

It seems that they list it like that because if any of those ports is taken or blocked, forwarding it causes it to become accessible to the console. So this makes it easier for their support desk to solve issues. After some more searching, it seems only 3074 needs to be forwarded, so I have put UPnP back to 1024-65535 for internal ports.

 

[ColinTaylor]

Well that doesn't work. I've tested this in the past and when the default port is in use by the other console, the second console chooses a random port that can change all the time.

Even if it doesn't, it still throws up an error message when UPnP isn't functioning and rejects incoming connections, regardless if the port is forwarded or not. So UPnP is always a must unless the default port can be used.

That's exactly my point. With UPnP enabled you can see what ports are being used and it won't be 53 or 80!

They list it on the official help page for the Xbox: http://support.xbox.com/en-us/xbox-one/networking/network-ports-used-xbox-live

Yeah, I know. However wrote that should be fired.

On one hand it says "Xbox Live requires the following ports to be open". In your case all outgoing ports are open by default. So it's not a problem.

But they also say "This configuration change is sometimes called opening ports or port forwarding", which is two different things! Really, however wrote that doesn't have a clue.

At least on the PlayStation FAQ they correctly refer to it as "open ports" and not "port forwarding".

The bottom line: Just enable UPnP for >= 1024.

 

[ColinTaylor]

Edit: For UPNPd to get access to the gateway's priveleged ports UPNPd would have be ran as root, which is batshit crazy. (or not)

Er, we're talking about the ASUS router aren't we? In which case just about everything runs as the root user (albeit renamed to admin).

 

[Nullity]

Er, we're talking about the ASUS router aren't we? In which case just about everything runs as the root user (albeit renamed to admin).

Yeah... I dunno about AsusWRT.

I was just logically considering how miniupnpd would need to be setup in a standard unix system for priv port axs.

 

[sfx2000]

I have a few applications that need to forward ports below 1024 through UPnP. I would like to know if there are any actual security risks involved with allowing that? Does it really matter if a computer is compromised what ports it can open and not?

Remember, uPNP is going to open a port for only the client that requests that port, and for the duration that the client application is running, after the application quits, the port should eventually close as part of the upnp daemon on the router/AP.

The challenge then is two fold:

1) how secure is the application? This is the key question, and that would be whether port forwarding manually or using uPNP - uPNP might actually be more secure than a manual port forward, as port forwards are always open until one goes into the Router and disables them (which most people don't).

2) how secure is the upnp daemon on the router, since most router/AP's run all tasks as a privileged user - typically Admin or Root - there have been problems in the past with various embedded linux uPNP daemons

But properly implemented, there is low risk...

 

[AdvHomeServer]

But that's kind off the point why I'm asking this. I see no reason why a program that uses a port above 1024 can not have more vulnerabilities than a program that uses a port below 1024.

My problem is that I have several game consoles that list several ports below 1024 for port forwarding. I need to use UPnP as they auto negotiate alternative ports when one console is already using them, so manual port forwarding is not an option.

I saw many posts about forwarding ports below 1024 and most people never questioned the security impact when setting the internal minimal port to 1. I have used this setting for quite a while, but I was wondering if there were security implications.

Being blunt ... UPnP on a router that allows anyone to get inside your network is universally considered to be a security threat to the person who uses it. The only people who disagree are those who hack for profit (IE those who will happily steal from you and laugh about it) and those who don't know any better.

Oh, you say, these are only people who will play games with my kids and keep them off my back ... even maybe the mfgr said it was OK.

Hackers of the world thank you and wish more were as enlightened as you.

 

[Nullity]

Being even more blunt... the internet is a security threat.

Run.

 

[AdvHomeServer]

But that's kind off the point why I'm asking this. I see no reason why a program that uses a port above 1024 can not have more vulnerabilities than a program that uses a port below 1024.

My problem is that I have several game consoles that list several ports below 1024 for port forwarding. I need to use UPnP as they auto negotiate alternative ports when one console is already using them, so manual port forwarding is not an option.

I saw many posts about forwarding ports below 1024 and most people never questioned the security impact when setting the internal minimal port to 1. I have used this setting for quite a while, but I was wondering if there were security implications.

If you don't believe me or think I'm just blowing smoke because I'm not a smart as some anonymous page you probably misunderstood, Google UPnP and security risk. Some things are a matter of opinion. Some things aren't. Look it up and figure it out for yourself.
</blunt>

 

[sfx2000]

Being blunt ... UPnP on a router that allows anyone to get inside your network is universally considered to be a security threat to the person who uses it. The only people who disagree are those who hack for profit (IE those who will happily steal from you and laugh about it) and those who don't know any better.

Oh, you say, these are only people who will play games with my kids and keep them off my back ... even maybe the mfgr said it was OK.

Hackers of the world thank you and wish more were as enlightened as you.

Well, keep in mind that most SOHO Router/AP's have defense in depth, along with the client computers behind the gateway...

1) NAT - by it's nature, it's secure due to non-routable IP's behind the NAT

2) SPI Firewall on the router/AP - even though the port is open, traffic from the WAN is prohibited unless the client sends something, and this is on a per-packet basis

3) Client Firewalls - Windows XP and later all have OS level firewalls (which should be left enabled) and OSX has the same (which should be turned on) - so even if a blackhat were to gain access to the XBone or PS4, they're not going to get much further in OP's use case...

So, yes, always a risk to open ports, but knowing what is open, and how things work is more important...

 

[sfx2000]

For UPNPd to get access to the gateway's priveleged ports UPNPd would have be ran as root, which is batshit crazy. (or not)

There's a lot of bat-shirt insanity in current Firmware builds on common Router/AP's - the key fact that everything runs as a privileged user is one, and even then, there is no privilege separation between the HTTP user vs. the Samba user vs. OpenVPN or uPNPd - design issue, and one that isn't easy to fix overall...

 

[Nullity]

There's a lot of bat-shirt insanity in current Firmware builds on common Router/AP's - the key fact that everything runs as a privileged user is one, and even then, there is no privilege separation between the HTTP user vs. the Samba user vs. OpenVPN or uPNPd - design issue, and one that isn't easy to fix overall...

Makes me all giddy for the even poorer security practices of the Internet of Things.

 

[sfx2000]

Makes me all giddy for the even poorer security practices of the Internet of Things.

Concur - and I'm in a position where I can actually do something about it for now...