Print

Print

This issue has been floating around for a little bit and I thought I would drop a note here to see what other people think.  There's a vulnerability in many consumer routers that allows UPnP connections from the internet facing interface.  This allows anyone outside the router to configure port mappings as well as other internal settings without any authentication (since UPnP does not require authentication).  What's worse is if the router also exposes a SOAP style interface that essentially allows you to change pretty much every setting that the router has.  This obviously does not directly affect the network on campus, but the concern I have is how the many users that use a VPN to access networks on campus could indirectly affect it.  This kind of vulnerability exposes users at home to unsolicited traffic aimed directly at their devices on their home network, even though they are behind a NAT router (which, by its nature, acts as a reasonably good firewall).  While an SSL VPN connection initiated by a PC does not make the campus network visible to other machines in the case where the machine isn't otherwise compromised, it's only a matter of time before some user's machine is infected and allows some unknown third party to see into a network they wouldn't otherwise have access to.

 

I really only have one question (and it's a doozy).  What's the right way to deal with this kind of a threat?  I could foresee a suggestion that all VPN users (well, practically all users) check the status of their router's susceptibility to this flaw over at www.grc.com.  You would just have to click a couple ShieldsUP! links or use the navigation bar to go to Services, then ShieldsUP! and click proceed.  There's an orange button there that will test your internet facing IP for its willingness to accept UPnP traffic.  For those that end up having this problem, it might be necessary to assist those users in selecting a better router to replace the vulnerable one that they're using.

 

That's one way to deal with it, but a user's willingness to check for this sort of problem is not something you can bet on and there's certainly no good way to see that they follow through.  So...what else can be done?  Is there a good way to tackle this issue or are we stuck with the notion that outside machines could be an even bigger risk than they already are?

 

For additional scariness, http://blog.defensecode.com/2013/02/defensecode-security-advisory-cisco.html

 

Since 80 million vulnerable routers is a big number, I’d have to think that there are at least a few in use in home networks that have computers behind them that access campus resources through a VPN.  In case anybody thinks that this hasn’t caught the attention of nefarious folks, there have been honeypots set up that are actively receiving UPnP packets from machines scanning for this vulnerability.  Any thoughts?