LISTSERV 16.0 - MSUNAG Archives

Users are happy to buy a piece of hardware and plug it in with no thought to configuration.  Manufacturers can put in their manuals that UPnP has risks all they want, but your average consumer isn't going to read the manual anyway.  Worse yet, the feature (UPnP) is only ever supposed to be accessible from the inside, not the outside.  Some routers even allow you to turn of UPnP on the inside, but leave it enabled on the outside, which is just plain dumb.  Networked device manufacturers do indeed push UPnP as the simple, no questions asked solution to get access to them from the outside (think more along the lines of Xbox, PS3, and home security devices).  It's really up to router manufacturers to make sure they didn't make the simple mistake of allowing the whole world to change what ports get mapped into your home network.

From: Charlot, Firmin [mailto:[log in to unmask]]
Sent: Monday, February 18, 2013 5:02 PM
To: [log in to unmask]
Subject: Re: [MSUNAG] UPnP Router Vulnerability

I agree Issac that this is a huge problem.  To begin to make a dent on this problem, manufacturers of these routers need to do a better job at explaining to users the risk involved in turning on this feature.  This is a tall order since turning on this feature is sometimes recommended by peripheral devices makers (printers, phones and other gadgets) so that they can work out-of-the-box with no configuration.  It's all about ease of use.
You are absolutely right in pointing out that the consequences of having that many vulnerable routers could bleed over into other networks.
One possible thought is to consider scanning all remote PCs that are connecting to "valued" MSU resources to be scanned for malware (somehow) before the connection is made.
Take care.

Firmin Charlot, ITIL, MCSE, A+
Technology Manager
Michigan State University - Student Affairs & Services
556 East Circle Drive, Room 171 - Student Services Building
East Lansing, MI 48824
[log in to unmask]<blocked::mailto:[log in to unmask]>  (517) 432-7541
Linked-in: www.linkedin.com/in/firmincharlot/<http://www.linkedin.com/in/firmincharlot/>

Submit technical requests at https://help.ess.msu.edu/<blocked::http://help.ess.msu.edu/>

From: Isaac, Jeremy [mailto:[log in to unmask]]
Sent: Monday, February 18, 2013 4:34 PM
To: [log in to unmask]<mailto:[log in to unmask]>
Subject: [MSUNAG] UPnP Router Vulnerability

This issue has been floating around for a little bit and I thought I would drop a note here to see what other people think.  There's a vulnerability in many consumer routers that allows UPnP connections from the internet facing interface.  This allows anyone outside the router to configure port mappings as well as other internal settings without any authentication (since UPnP does not require authentication).  What's worse is if the router also exposes a SOAP style interface that essentially allows you to change pretty much every setting that the router has.  This obviously does not directly affect the network on campus, but the concern I have is how the many users that use a VPN to access networks on campus could indirectly affect it.  This kind of vulnerability exposes users at home to unsolicited traffic aimed directly at their devices on their home network, even though they are behind a NAT router (which, by its nature, acts as a reasonably good firewall).  While an SSL VPN connection initiated by a PC does not make the campus network visible to other machines in the case where the machine isn't otherwise compromised, it's only a matter of time before some user's machine is infected and allows some unknown third party to see into a network they wouldn't otherwise have access to.

I really only have one question (and it's a doozy).  What's the right way to deal with this kind of a threat?  I could foresee a suggestion that all VPN users (well, practically all users) check the status of their router's susceptibility to this flaw over at www.grc.com<http://www.grc.com/>.  You would just have to click a couple ShieldsUP! links or use the navigation bar to go to Services, then ShieldsUP! and click proceed.  There's an orange button there that will test your internet facing IP for its willingness to accept UPnP traffic.  For those that end up having this problem, it might be necessary to assist those users in selecting a better router to replace the vulnerable one that they're using.

That's one way to deal with it, but a user's willingness to check for this sort of problem is not something you can bet on and there's certainly no good way to see that they follow through.  So...what else can be done?  Is there a good way to tackle this issue or are we stuck with the notion that outside machines could be an even bigger risk than they already are?

For additional scariness, http://blog.defensecode.com/2013/02/defensecode-security-advisory-cisco.html

Since 80 million vulnerable routers is a big number, I'd have to think that there are at least a few in use in home networks that have computers behind them that access campus resources through a VPN.  In case anybody thinks that this hasn't caught the attention of nefarious folks, there have been honeypots set up that are actively receiving UPnP packets from machines scanning for this vulnerability.  Any thoughts?