UPnPIn a project that found more than 80 million unique IP addresses responding to Universal Plug and Play (UPnP) discovery requests, researchers at Rapid7 were shocked to find that somewhere between 40 and 50 million of those are vulnerable to at least one of three known attacks.

A Rapid7 white paper enumerated UPnP-exposed systems connected to the Internet and identified the number of vulnerabilities present in common configurations. Researchers found that more than 6,900 product models produced by 1,500 different vendors contained at least one known vulnerability, with 23 million systems housing the same remote code execution flaw.

Between June 1 and Nov. 17, 2012, Rapid7 conducted weekly scans that sent simple service discovery protocUPnPol (SSDP) requests to each routable IPv4 address. In all, 2.2 percent of all public IPv4 addresses responded to the standard UPnP discovery requests. So, 81 million unique IP addresses responded and, upon deeper probing, researchers determined some 17 million further systems exposed the UPnP simple object access protocol (SOAP). This level of exposure was far higher than researchers had expected, according to the report.

Rapid7 claims that the UPnP protocol has suffered from a number of security problems over the last decade or so. Despite rarely implemented authentication mechanisms, the presence of privileged capabilities on questionable networks, and common programming flaws, Rapid7 decided to focus its research on three classes of problems: programming flaws in common UPnP SSDP implementations that can be exploited to crash the service and execute arbitrary code; exposure of the UPnP control interface that exposes private networks to attacks from the Internet; and programming flaws in the UPnP HTTP and SOAP implementations that can be exploited to crash the service and execute arbitrary code.

“This research was primarily focused on vulnerabilities in the SSDP processor across embedded devices,” Rapid7′ CSO HD Moore elaborated via email. “The general process was to identify what was out there, make a list of the most commonly used software stacks, and then audit those stacks for vulnerabilities. The results were much worse than we anticipated, with the most commonly used software stack (libupnp) also being the most vulnerable.”

According to Moore, the two most commonly implemented UPnP software libraries both contain remotely exploitable vulnerabilities. More than 73 percent of systems uncovered by SSDP were derived from just four development kits: Portable SDK for UPnP Devices; MiniUPnP; a commercial stack likely developed by Broadcom; and one other kit whose developer could not be determined. The most current version of Portable UPnP SDK–at the time the research was conducted–accounted for the previously mentioned 23 million IPs that are vulnerable to remote code execution through a single user datagram protocol packet.

Most Portable UPnP SDK devices are not running on the latest version of the software. Researchers determined that the users running older versions of Portable UPnP SDK could be compromised by no fewer than eight remotely exploitable flaws.

The latest version MiniUPnP (1.1) fixed a remotely exploitable stack overflow in the SOAP handler from its earlier version (1.0), but the SSDP determined that more than 14 percent of MiniUPnP users have yet to update and that 330 separate products remain vulnerable. The MiniUPnP library was also vulnerable to a parsing flaw in the SSDP handler that has since been patched.

UPnP is, according to Rapid 7, a protocol standard, often enabled by default, that allows computers and various other network connected devices to communicate with one another and simplifies the discovery and control of network devices. Devices with UPnP enabled by default include smart TVs, IP cameras, printers, media servers and routers to name a few. It is enabled by default on Mac OS X, Microsoft Windows, and a number of Linux distros. Different devices have different capabilities but some common functions include incoming port mapping on home routers, identification of network printers, and managing media services.

Rapid7 is encouraging that users disable UPnP on all Internet facing systems and replace any systems that do not offer the ability to disable the protocol. Some of these vulnerabilities, such as the Portable UPnP SDK and MiniUPnP, have been patched, but as Moore notes, it takes time for the various device makers and application developers to implement the patch into their products. In the meantime, users will remain vulnerable. He also explains that a number of products are “no longer shipping,” meaning that users of that equipment will not receive patches and will remain vulnerable until they remove or replace the products in question.

Rapid7’s ScanNow tool tocan be used check whether systems are vulnerable.

In the white paper, Rapid7 goes on to make a number of recommendations to Internet service providers, businesses, and home and mobile users that may be vulnerable as well providing in depth analysis of the specific vulnerabilities themselves.

Categories: Government, Mobile Security, SMB Security, Vulnerabilities, Web Security

Comments (6)

  1. pogue

    I tried to run Rapid7’s UPnP threat assessment tool, but it said it required Java 1.6.0 to run.  I have the latest JRE installed on my system, so I’m not sure what the problem is, but w/ all the security buzz about Java lately…. really Rapid7?

    Do newer versions of Windows past XP still employ UPnP by default? If so, is there a step by step direction guide to disabling it somewhere?

  2. pogue

    @JimboC Thanks for advice, much appreciated.

    I’m behind a router provided by my ISP, so I have no control over the firmware or a lot of the settings (although it does have a basic firewall), but doing a port scan on my IP w/ nmap and similar tools shows no ports open, so I assume I’m in the clear.  But I’ll probably go ahead and disable those services on all the PCs on my LAN just to be safe.

  3. Josh Rubin

    Did Rapid7 really test every routable IPV4 address? Random sampling would be more secure, faster, and cheaper.


  4. JimboC

    Hi pogue,

    I also ran the Rapid7 UPnP threat assessment tool in a test VM which just happened to have Java Version 7 Update 11 installed (it is disabled in the browser and I only use it run local Java apps in this VM). I quit the tool when it asked me for all of my personal details to register the program in order to run it.

    UPnP use 2 services on Windows, the SSDP Discovery service and the UPnP Device Host service.

    On Windows 7 SP1, the SSDP Discovery service is set to manual start-up but is running by default. The UPnP Device Host service is also set to manual start-up but usually does not run.

    The list of default running services for Windows XP, Vista, Windows 7 and Windows 8 is available by Googling:

    black viper windows service configurations

    According to the Vulnerability Note (VU#922681, posted today) from the US-CERT, you can block port 1900 using your firewall (on your PC) and disable the UPnP functionality of your broadband router. You can also update libupnp to version 1.6.18. I am not sure how to do that for my old router so I have just disabled the above 2 services in my Windows 7 and disabled the UPnP feature of my router. I have also blocked ports 1900 and 2869 using my software firewall (it’s not the default Windows Firewall).

    My router is too old to receive a new firmware update.

    I realize that US-CERT doesn’t mention port 2869 but it is mentioned in the following Microsoft article on UPnP (I also realize that this article is for Windows XP):


    I don’t use UPnP so it was easy to make the decision to disable it. My PC is working normally after all of the above changes.

    I hope this helps. Thank you.

  5. JimboC

    Hi pogue,

    You are very welcome.

    I agree you should be fine since your ports are showing as closed. Disabling the services is an additional defensive measure and that is always a good idea.


  6. Not Josh Rubin

    It’s true that random sampling would be faster, but testing every IPV4 address gives the population statistic, while a random sample would only give a sample statistic which only has a ‘good’ chance of being right. As for cost, once the program is scanning, the cost is difficult to quantify and most people just treat it as negligible.

    Enjoy IPV4 while you can; testing every IPV6 address will not be possible, as there are too many.

Comments are closed.