Executive Summary
Summary | |
---|---|
Title | UPnP requests accepted over router WAN interfaces |
Informations | |||
---|---|---|---|
Name | VU#357851 | First vendor Publication | 2011-10-05 |
Vendor | VU-CERT | Last vendor Modification | 2011-10-07 |
Severity (Vendor) | N/A | Revision | M |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:C/I:C/A:C) | |||
---|---|---|---|
Cvss Base Score | 10 | Attack Range | Network |
Cvss Impact Score | 10 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Vulnerability Note VU#357851UPnP requests accepted over router WAN interfacesOverviewSome Internet router devices incorrectly accept UPnP requests over the WAN interface.I. DescriptionUniversal Plug and Play (UPnP) is a networking protocol mostly used for personal computing devices to discover and communicate with each other and the Internet. Some UPnP enabled router devices incorrectly accept UPnP requests over the WAN interface. "AddPortMapping" and "DeletePortMapping" actions are accepted on these devices. These requests can be used to connect to internal hosts behind a NAT firewall and also proxy connections through the device and back out to the Internet. Additional details can be found in Daniel Garcia's whitepaper, "Universal plug and play (UPnP) mapping attacks". [PDF] A list of devices reported to be vulnerable can be found on the UPnP hacks website.II. ImpactA remote unauthenticated attacker may be able to scan internal hosts or proxy Internet traffic through the device.III. SolutionContact the device's vendor to find out if a firmware update is available to address this vulnerability.Workarounds
Referenceshttp://toor.do/upnp.html Thanks to Daniel Garcia for reporting this vulnerability. This document was written by Jared Allar.
|
Original Source
Url : http://www.kb.cert.org/vuls/id/357851 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
88 % | CWE-16 | Configuration |
12 % | CWE-78 | Improper Sanitization of Special Elements used in an OS Command ('OS Command Injection') (CWE/SANS Top 25) |
CPE : Common Platform Enumeration
Type | Description | Count |
---|---|---|
Application | 1 | |
Application | 3 | |
Application | 3 | |
Application | 1 | |
Application | 3 | |
Application | 1 | |
Hardware | 1 | |
Hardware | 1 | |
Hardware | 1 | |
Hardware | 1 | |
Hardware | 1 | |
Hardware | 2 | |
Hardware | 4 | |
Hardware | 1 | |
Hardware | 1 | |
Hardware | 1 | |
Hardware | 1 | |
Hardware | 1 | |
Hardware | 1 | |
Os | 1 | |
Os | 1 | |
Os | 1 | |
Os | 2 | |
Os | 1 | |
Os | 2 | |
Os | 1 |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
77438 | Thomson (Technicolor) TG585 UPnP IGD AddPortMapping Action Remote Port Mappin... Thomson (Technicolor) TG585 contains a flaw related to the WAN interface's parsing of SOAP requests. The issue is triggered when a remote attacker uses a UPnP AddPortMapping action. This may allow a remote attacker to establish arbitrary port mappings. |
77437 | SpeedTouch 5x6 UPnP IGD AddPortMapping Action Remote Port Mapping Addition SpeedTouch 5x6 contains a flaw related to the WAN interface's parsing of SOAP requests. The issue is triggered when a remote attacker uses a UPnP AddPortMapping action. This may allow a remote attacker to establish arbitrary port mappings. |
77436 | Pseudo ICS ZyXEL P-330W UPnP IGD AddPortMapping Action Remote Port Mapping Ad... Pseudo ICS ZyXEL P-330W contains a flaw related to the WAN interface's parsing of SOAP requests. The issue is triggered when a remote attacker uses a UPnP AddPortMapping action. This may allow a remote attacker to establish arbitrary port mappings. |
77435 | Broadcom Linux Sitecom WL-111 UPnP IGD AddPortMapping Action Remote Port Mapp... Broadcom Linux Sitecom WL-111 contains a flaw related to the WAN interface's parsing of SOAP requests. The issue is triggered when a remote attacker uses a UPnP AddPortMapping action. This may allow a remote attacker to establish arbitrary port mappings. |
77434 | Edimax EdiLinux Multiple Product UPnP IGD AddPortMapping Action Remote Port M... Multiple Edimax EdiLinux products contain a flaw related to the WAN interface's parsing of SOAP requests. The issue is triggered when a remote attacker uses a UPnP AddPortMapping action. This may allow a remote attacker to establish arbitrary port mappings. |
77432 | Edimax EdiLinux Multiple Product UPnP IGD Shell Metacharacter Remote Command ... |
77431 | Cisco Linksys WRT54GX UPnP IGD SOAP Request Parsing Remote Firewall Manipulation |
77329 | Cisco Linksys Multiple Router Broadcomp UPnP IGD AddPortMapping Action Remote... Multiple Cisco Linksys routers contain a flaw related to the WAN interface's parsing of SOAP requests. The issue is triggered when a remote attacker uses a UPnP AddPortMapping action. This may allow a remote attacker to establish arbitrary port mappings. |
Alert History
Date | Informations |
---|---|
2013-05-11 00:57:02 |
|
2013-01-24 21:19:42 |
|