Menu
What's new
By:
Filters Better Search

UPNP Security flaw.

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Bagman

Bagman

Regular Contributor
From this article:

Tens of millions of network-enabled devices including routers, printers, media servers, IP cameras, smart TVs and more can be attacked over the Internet because of dangerous flaws in their implementation of the UPnP (Universal Plug and Play) protocol standard, security researchers from Rapid7 said Tuesday in a research paper.
Click to expand...

Eight remotely exploitable vulnerabilities have been identified in the Portable UPnP SDK, including two that can be used for remote code execution, the researchers said.
Click to expand...

RT-N66U, RT-AC66U and other Asus routers are exposing SOAP to the internet according to this list.

Is Merlin's build vulnerable, and can you do a quick fix by updating to the newer versions of miniUPnP and UPnP?
 
Asuswrt still uses an older version of Miniupnpd (1.4, versus the 1.6 version used by Tomato). Tomato only upgraded theirs after Asuswrt had forked from them.

I started looking at upgrading miniupnpd, but my first attempt at going all the way to 1.7 didn't work too well (I need to upgrade it through patching, since Asuswrt's version is somewhat customized versus the original version, and the resulting patched tree would have many build issues).

I'll see into getting it upgraded for the next build 24 beta, so it can get good testing at the same time.
 
RMerlin said:
I'll see into getting it upgraded for the next build 24 beta, so it can get good testing at the same time.
Click to expand...

Thanks for looking into this Merlin. Now that all the info about these loopholes is out in the open, it seems like only a matter of time before they are targeted by worms/viruses. If you can upgrade the problem components and keep our routers secure, it's just another (major) reason why your firmware is better than the Asus firmware.
 
But does the miniUPnP issue mean it is vulnerable against external attacks or just attacks from the inside?

I thought external attacks would be prevented by sufficient iptables rules?
 
Nerre said:
But does the miniUPnP issue mean it is vulnerable against external attacks or just attacks from the inside?

I thought external attacks would be prevented by sufficient iptables rules?
Click to expand...

Read the article - external attacks because the default IPtables rules are not adequately implemented.

What annoys me is some of this stuff has been fixed for years, but big companies like Asus (who should know better) are still using code from 2008. All the have to do is update the relevant modules with ones that are now available.
 
Bagman said:
Read the article - external attacks because the default IPtables rules are not adequately implemented.

What annoys me is some of this stuff has been fixed for years, but big companies like Asus (who should know better) are still using code from 2008. All the have to do is update the relevant modules with ones that are now available.
Click to expand...

At this point, it's unsure if Asuswrt is vulnerable or not. While Asus runs an older miniupnpd, they tend to regularily backport security fixes from upstream, so it's possible they might have patched that flaw already.

Again: unless someone actually test it, it's unsure if it's vunlerable or not. I just want to play it safe on my end, and try to get miniupnpd upgraded to at least version 1.6 (I'll port the Tomato version if needs be, since I don't think Asus has done many changes since the original fork from Tomato).
 
RMerlin said:
At this point, it's unsure if Asuswrt is vulnerable or not. While Asus runs an older miniupnpd, they tend to regularily backport security fixes from upstream, so it's possible they might have patched that flaw already.
Click to expand...

Whether miniupnpd itself is vulnerable or not I'm not sure yet, but it doesn't appear that Asuswrt exposes miniupnpd to the WAN interface (some probing from an external server using nmap shows no responses to my attempts). Even if miniupnpd were vulnerable to such attacks, they would definitely require access to the internal LAN to start, and if you have access to the internal LAN, why would you need to exploit miniupnpd. ;)

This post also seems to indicate that Asus has patched miniupnpd to fix these vulnerabilities.
 
I just installed Java and the Rapid 7 scan test. It identifies my RT-N66U running the latest Merlin beta as a UPnP device, but says it's not exploitable. I get the same results as KevTech does in the link in the post above.

Maybe Asus has patched the vulnerability even though they've patched to the older UPnP 1 that is listed as vulnerable?
 
Bagman said:
I just installed Java and the Rapid 7 scan test. It identifies my RT-N66U running the latest Merlin beta as a UPnP device, but says it's not exploitable. I get the same results as KevTech does in the link in the post above.

Maybe Asus has patched the vulnerability even though they've patched to the older UPnP 1 that is listed as vulnerable?
Click to expand...

That wouldn't surprise me. They do a lot of upstream backporting. That means minimal risk of breaking something, unlike if they were to fully upgrade the whole software.
 
sfx2000 said:
This goes well beyond just ASUS...

http://forums.smallnetbuilder.com/showthread.php?t=9720

sfx
Click to expand...

Just to reiterate: Asuswrt is NOT vulnerable. In fact, it doesn't even use the mentionned upnp stack, but relies on Miniupnpd.

This is (IMHO) another security research company trying to blow out of proportion a security hole that only affects certain routers, and fail to actually mention which ones are affected. Not every router out there runs the Broadcom stack (and some don't even use Broadcom).
 
For those who want independent confirmation, or who also run other model routers, the Shields Up firewall testing service @ www.grc.com, has been updated to incorporate a probe for these vulnerabilities (no install or registration required, all done from a web page).

It also includes a link to a Security Now podcast which explains the issue, for those who want more info.
 
You must log in or register to reply here.

Similar threads

PR3MIUM
Ubuntu Linux impacted by decade-old 'needrestart' flaw that gives root
Replies
1
Views
189
DJones
D
torstein
Avoid Consumer Routers
2
Replies
39
Views
7K
netware5
netware5
D
Ars: Internet routers running Tomato are under attack by notorious crime gang
2
Replies
25
Views
11K
schonzen
S
DartVadr
Recently identified guest network security issue(s)
Replies
5
Views
2K
RMerlin
RMerlin
AdrianSz
RT-AX88U Internal security
Replies
13
Views
5K
AdrianSz
AdrianSz
Similar threads
Thread starter Title Forum Replies Date
J iTunes and UPnP media server [RT-AC3100] not functioning after firmware upgrade to version 386.14 Asuswrt-Merlin 3
L is enabling firewall necessary (same for upnp) when on a provider with cgnat? Asuswrt-Merlin 5
D Solved UPnP enabled for Aimesh. Asuswrt-Merlin 5
A Asus RT AX58U - security link Asuswrt-Merlin 0
Nas.CloudBusinessPortal Security Log to see who is… Asuswrt-Merlin 3
TheLyppardMan A question about WireGuard security Asuswrt-Merlin 25
M OpenVPN / site to site with special security/routing constraints Asuswrt-Merlin 7
M Isolating home security cameras and providing remote access? Asuswrt-Merlin 5
T Security Features Merlin VS Official Asuswrt-Merlin 7
T Security Key or PassKey support for admin login Asuswrt-Merlin 1

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 532 (members: 14, guests: 518)
Top