Multiple Universal Plug and Play Devices Simple Service Discovery Protocol Processing Vulnerabilities
IntelliShield: Security Activity Bulletin
2013 January 29 15:28 GMT
2013 January 31 15:27 GMT
FreeBSD has released a VuXML document and updated ports collection to address the multiple Universal Plug and Play devices Simple Service Discovery Protocol processing vulnerabilities.
Multiple Universal Plug and Play devices contain vulnerabilities that could allow an unauthenticated, remote attacker to access sensitive information, execute arbitrary code, or cause a denial of service (DoS) condition on a targeted system.
The Universal Plug and Play (UPnP) protocol suite was designed to simplify the discovery and control of network devices. A diverse set of network devices use UPnP, such as routers, switches, wireless access points, and many types of client devices. Exploitable vulnerabilities in the Portable SDK for UPnP devices SSDP parser, the MiniUPnP SOAP handler, and the MiniUPnP SSDP parser have been reported, which could allow an unauthenticated, remote attacker to execute arbitrary code or cause a DoS condition.
Risks of exploitation of the vulnerabilities are increased due to widespread, unsafe configurations of UPnP on affected devices. Reports indicate that multiple unsafe configurations were found in the Simple Service Discovery Protocol (SSDP) service on UPnP devices, as well the HTTP service that hosts the Simple Object Access Protocol (SOAP) interface. By default, UPnP uses UDP port 1900 and should only be exposed to trusted networks. However, the unsafe configuration in the SOAP interface could allow for widespread exposure of the SSDP service to the Internet. As a result, attackers from untrusted networks could exploit the vulnerabilities within the SSDP and SOAP parsers.
Proof-of-concept code that exploits these vulnerabilities is publicly available.
US-CERT has released a vulnerability note at the following link: VU#922681
Administrators are advised to apply software updates as they become available.
Administrators are advised to disable UPnP on all Internet-facing systems.
Administrators are advised to replace all devices that do not have the ability to disable the SSDP protocol.
Administrators may consider using access control lists (ACLs) to block services on UDP port 1900.
Administrators are advised to monitor affected systems.
The Cisco Applied Intelligence team has created the following companion document to guide administrators in identifying and mitigating attempts to exploit this vulnerability prior to applying updated software: cisco-amb-20130130-upnp FreeBSD has released a VuXML document at the following link: upnp -- multiple vulnerabilities
FreeBSD has released ports collection updates at the following link: Ports Collection Index
Cisco Systems Cisco Intrusion Prevention System (IPS) 6.0
Version 3, January 30, 2013, 10:24 AM: Cisco has released an Applied Mitigation Bulletin to address the multiple Universal Plug and Play devices Simple Service Discovery Protocol processing vulnerabilities.
Version 2, January 29, 2013, 11:52 AM: Cisco has released a security advisory to address the multiple Universal Plug and Play devices Simple Service Discovery Protocol processing vulnerabilities.
Version 1, January 29, 2013, 10:28 AM: Multiple Universal Plug and Play devices contain vulnerabilities that could allow an unauthenticated, remote attacker to access sensitive information, execute arbitrary code, or cause a denial of service condition on a targeted system.
LEGAL DISCLAIMER The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.