Security flaws in Universal Plug and Play

January 30th, 2013 by Chris Buechler

Rapid7 released a paper today covering new security flaws in UPnP. These findings have lead to the US Department of Homeland Security recommending everyone disable UPnP.

These flaws aren’t applicable to pfSense users, as long as you’ve stayed up to date, or at least haven’t gone out of your way to make yourself insecure. The flaws identified in miniupnp were fixed over two years ago, and we always ship releases with the latest version. So these could only be applicable if you haven’t updated to any 2.x version. You would also have to add a firewall rule on WAN to permit the traffic in for the Internet-reachable scenario, so you would really have to go out of your way to make yourself vulnerable if running pfSense.

It’s arguable whether you should ever enable UPnP at all, ever. It’s a security vulnerability by design, really, allowing things to arbitrarily open ports on your firewall. We’ve argued against it since the inception of this project, but make it available for those who have no alternative. Of course we disable it by default.

If you’re running any other kind of router or firewall, things may not be so good. A shocking number of vendors are still building old miniupnp versions into their products (Rapid7 identified 332 such products), and shipping them with extremely insecure defaults (over 80 million unique IPs answer UPnP from the Internet). If you’re not sure whether your router is vulnerable, it’s safest to disable all UPnP functionality on devices connected to the Internet. Rapid7 has released a ScanNow tool that will scan your local network for exploitable devices.

This is also a nice example for the small number of people who still think open source solutions are somehow less secure than commercial alternatives. We’ve done things right again in this instance from day one, where a shocking number of commercial vendors have massively failed to follow basic security best practices.

9 Responses to “Security flaws in Universal Plug and Play”

  1. Beat Says:

    Well done guys!

    Open source *is* far superior to closed source, and that’s not only just because developers know that others might be looking above their shoulders, and by nature encourages them to follow best practices, but also because of all the open mind that comes with it.

    I’m predicting 2013 to be the year where large portions of users start realizing that open source is a better model for everyone.

    Keep the great work going! Looking forward to 2.1 with full IPv6 support, as 2013 will also be the year of IPv6 and of a lot of commercial “NAT firewalls” not firewalling anything anymore that is IPv6, as they don’t NAT. ;-)

  2. Falha de segurança no UPnP deixa milhões de usuários vulneráveis | pfSense-BR Says:

    [...] o post do Chris no blog do pfSense sobre a [...]

  3. Angus S-F Says:

    FWIW the ScanNow tool requires Java. They have a java-free scanner at this page: “Universal Plug and Play Check by Rapid7″
    http://upnp-check.rapid7.com/

  4. PV Says:

    Yeah, I’ve always been paranoid about uPnP. Then again, I’m paranoid about a lot of things dealing with the net. Mostly of things breaking. IT is one of those fields where you argue with the directors for the best you can get, and usually have to settle for something far less than what you need. So far pfsense offers a lot of things that our paid-firewalls just cant match. Unfortunately our paid firewalls also have some really, really easy to use VPN options for our end users which makes our IT lives much simpler. If pfsense keeps up the quality I’ve seen and the 2.1 release follows through on that, I’ll be tempted to use it in more than just my home. IPv6 is something I’m going to need full support for in the next few years.

  5. Chris Buechler Says:

    PV: doesn’t get much easier than our client export with OpenVPN, unless you like the nasty browser-based SSL VPNs which are a real support headache in comparison. Slightly more effort to install up front, but significantly less effort to support on an ongoing basis from what I’ve seen and heard from our commercial support customers.

  6. mikeisfly Says:

    Steve Gibson of the Spin Rite fame and Shields UP has built a uPNP vulnerability tool at https://www.grc.com/x/ne.dll?rh1dkyd2 . This will check to see if your router is responding to uPNP probe request on your public port. I just checked mine and everything is all good. The first thing I do when setting up residential routers is turn the uPNP setting off. Hope this helps someone.

  7. How I Met Your SSH | TechSNAP | Jupiter Broadcasting Says:

    [...] week we had a question of uPNP and pfSense – The pfSense blog has the official answer – pfSense uses an updated version of miniupnp, and has always done so, the vulnerable ones [...]

  8. Anon Says:

    mikeisfly: That link gives an error. Seems like the site is a little too paranoid.

  9. SaltH2OFish Says:

    My children very much appreciate UPnP in pfSense. I have a segregated physical network with it’s own interface for multiple gaming devices (ie: XBox live) to work properly behind the single router IP. The other physical network doesn’t have UPnP support and is used for everything else. It is good to know that the team on pfSense have already put forth the effort to be up-to-date with miniupnp. Thank you for the project. I will continue to support by purchasing the updated book. I’ve enjoyed the previous releases and look forward to what the team cooks up next!

Please don’t post technical questions or off-topic comments. It is far more likely that your questions and concerns will be addressed effectively through one of our support channels.

Leave a Reply