Multiple Universal Plug and Play devices contain vulnerabilities that could allow an unauthenticated, remote attacker to access sensitive information, execute arbitrary code, or cause a denial of service (DoS) condition on a targeted system.
The Universal Plug and Play (UPnP) protocol suite was designed to simplify the discovery and control of network devices. A diverse set of network devices use UPnP, such as routers, switches, wireless access points, and many types of client devices. Exploitable vulnerabilities in the Portable SDK for UPnP devices SSDP parser, the MiniUPnP SOAP handler, and the MiniUPnP SSDP parser have been reported, which could allow an unauthenticated, remote attacker to execute arbitrary code or cause a DoS condition.
Risks of exploitation of the vulnerabilities are increased due to widespread, unsafe configurations of UPnP on affected devices. Reports indicate that multiple unsafe configurations were found in the Simple Service Discovery Protocol (SSDP) service on UPnP devices, as well the HTTP service that hosts the Simple Object Access Protocol (SOAP) interface. By default, UPnP uses UDP port 1900 and should only be exposed to trusted networks. However, the unsafe configuration in the SOAP interface could allow for widespread exposure of the SSDP service to the Internet. As a result, attackers from untrusted networks could exploit the vulnerabilities within the SSDP and SOAP parsers.
Proof-of-concept code that exploits these vulnerabilities is publicly available.
Cisco has released a security advisory at the following link: cisco-sa-20130129-upnp
US-CERT has released a vulnerability note at the following link: VU#922681
Administrators are advised to apply software updates as they become available.
Administrators are advised to disable UPnP on all Internet-facing systems.
Administrators are advised to replace all devices that do not have the ability to disable the SSDP protocol.
Administrators may consider using access control lists (ACLs) to block services on UDP port 1900.
Administrators are advised to monitor affected systems.
The Cisco Applied Intelligence team has created the following companion document to guide administrators in identifying and mitigating attempts to exploit this vulnerability prior to applying updated software: cisco-amb-20130130-upnp
FreeBSD has released a VuXML document at the following link: upnp -- multiple vulnerabilities
FreeBSD has released ports collection updates at the following link: Ports Collection Index
The Portable SDK for UPnP Devices project has released a changelog at the following link: Version 1.6.18 Changelog