With more than 80 million unique IP addresses responding to Universal Plug and Play (UPnP) discovery requests there is between 40 and 50 million of them vulnerable to at least one of three known attacks, a research project found.
More than 6,900 product models produced by 1,500 different vendors contained at least one known vulnerability, with 23 million systems housing the same remote code execution flaw, according to a white paper from Rapid7.
Between June 1 and Nov. 17, 2012, Rapid7 conducted weekly scans that sent simple service discovery protocol (SSDP) requests to each routable IPv4 address. In all, 2.2 percent of all public IPv4 addresses responded to the standard UPnP discovery requests. So, 81 million unique IP addresses responded and, upon deeper probing, researchers determined some 17 million further systems exposed the UPnP simple object access protocol (SOAP). This level of exposure was far higher than researchers had expected, according to the report.
The UPnP protocol has suffered from a number of security problems over the last decade or so, Rapid7 said. Despite rarely implemented authentication mechanisms, the presence of privileged capabilities on questionable networks, and common programming flaws, Rapid7 decided to focus its research on three classes of problems: Programming flaws in common UPnP SSDP implementations that can suffer exploitation to crash the service and execute arbitrary code; exposure of the UPnP control interface that exposes private networks to attacks from the Internet; and programming flaws in the UPnP HTTP and SOAP implementations that can end up exploited to crash the service and execute arbitrary code.
“This research was primarily focused on vulnerabilities in the SSDP processor across embedded devices,” said Rapid7 CSO HD Moore. “The general process was to identify what was out there, make a list of the most commonly used software stacks, and then audit those stacks for vulnerabilities. The results were much worse than we anticipated, with the most commonly used software stack (libupnp) also being the most vulnerable.”
The two most commonly implemented UPnP software libraries both contain remotely exploitable vulnerabilities, Moore said. More than 73 percent of systems uncovered by SSDP derived from just four development kits: Portable SDK for UPnP Devices; MiniUPnP; a commercial stack likely developed by Broadcom; and one other kit who officials could not determine the developer. The most current version of Portable UPnP SDK — at the time of the research — accounted for the previously mentioned 23 million IPs vulnerable to remote code execution through a single user datagram protocol packet.
Most Portable UPnP SDK devices are not running on the latest version of the software. Researchers determined the users running older versions of Portable UPnP SDK could suffer compromise by no fewer than eight remotely exploitable flaws.
The latest version MiniUPnP (1.1) fixed a remotely exploitable stack overflow in the SOAP handler from its earlier version (1.0), but the SSDP determined that more than 14 percent of MiniUPnP users have yet to update and that 330 separate products remain vulnerable. The MiniUPnP library was also vulnerable to a parsing flaw in the SSDP handler since patched.