10 - VU#357851

Executive Summary

This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.

Summary
Title	UPnP requests accepted over router WAN interfaces

Informations
Name	VU#357851	First vendor Publication	2011-10-05
Vendor	VU-CERT	Last vendor Modification	2011-10-07
Severity (Vendor)	N/A	Revision	M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score	NA
Base Score	NA	Environmental Score	NA
impact SubScore	NA	Temporal Score	NA
Exploitabality Sub Score	NA

Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Cvss Base Score	10	Attack Range	Network
Cvss Impact Score	10	Attack Complexity	Low
Cvss Expoit Score	10	Authentication	None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#357851

UPnP requests accepted over router WAN interfaces

Overview

Some Internet router devices incorrectly accept UPnP requests over the WAN interface.

I. Description

Universal Plug and Play (UPnP) is a networking protocol mostly used for personal computing devices to discover and communicate with each other and the Internet. Some UPnP enabled router devices incorrectly accept UPnP requests over the WAN interface. "AddPortMapping" and "DeletePortMapping" actions are accepted on these devices. These requests can be used to connect to internal hosts behind a NAT firewall and also proxy connections through the device and back out to the Internet. Additional details can be found in Daniel Garcia's whitepaper, "Universal plug and play (UPnP) mapping attacks". [PDF] A list of devices reported to be vulnerable can be found on the UPnP hacks website.

II. Impact

A remote unauthenticated attacker may be able to scan internal hosts or proxy Internet traffic through the device.

III. Solution

Contact the device's vendor to find out if a firmware update is available to address this vulnerability.

Workarounds

Disable UPnP on the device.

Vendor Information

Vendor	Status	Date Updated
Canyon-Tech	Affected	2011-10-05
Edimax Computer Company	Affected	2011-10-05
Linksys (A division of Cisco Systems)	Affected	2011-10-03
Sitecom	Affected	2011-10-05
Sweex	Affected	2011-10-05
Technicolor	Affected	2011-10-07
ZyXEL	Affected	2011-10-05

References

http://toor.do/upnp.html
http://www.h-online.com/security/news/item/UPnP-enabled-routers-allow-attacks-on-LANs-1329727.html
http://toor.do/DEFCON-19-Garcia-UPnP-Mapping-WP.pdf
http://www.upnp-hacks.org/devices.html

Credit

Thanks to Daniel Garcia for reporting this vulnerability.

This document was written by Jared Allar.

Other Information

Date Public:	2011-08-05
Date First Published:	2011-10-05
Date Last Updated:	2011-10-07
CERT Advisory:
CVE-ID(s):
NVD-ID(s):
US-CERT Technical Alerts:
Severity Metric:	0.85
Document Revision:	13

Original Source

Url : http://www.kb.cert.org/vuls/id/357851

CWE : Common Weakness Enumeration

%	Id	Name
88 %	CWE-16	Configuration
12 %	CWE-78	Improper Sanitization of Special Elements used in an OS Command ('OS Command Injection') (CWE/SANS Top 25)

CPE : Common Platform Enumeration

Type	Description	Count
Application	Alcatel Speedtouch 5X6 Router Firmware cpe:2.3:a:alcatel:speedtouch_5x6_router_firmware:6.2:::::::*	1
Application	Cisco Linksys Wrt54G Router Firmware cpe:2.3:a:cisco:linksys_wrt54g_router_firmware:4.20.8:::::::* cpe:2.3:a:cisco:linksys_wrt54g_router_firmware:4.20.7:::::::* cpe:2.3:a:cisco:linksys_wrt54g_router_firmware:3.03.9:::::::*	3
Application	Cisco Linksys Wrt54Gs Router Firmware cpe:2.3:a:cisco:linksys_wrt54gs_router_firmware:4.70.6:::::::* cpe:2.3:a:cisco:linksys_wrt54gs_router_firmware:2.09.1:::::::* cpe:2.3:a:cisco:linksys_wrt54gs_router_firmware:1.06:::::::*	3
Application	Cisco Linksys Wrt54Gx Router Firmware cpe:2.3:a:cisco:linksys_wrt54gx_router_firmware:2.00.05:::::::*	1
Application	Genmei Mori Pseudoics cpe:2.3:a:genmei_mori:pseudoics:0.3:::::::* cpe:2.3:a:genmei_mori:pseudoics:0.2:::::::* cpe:2.3:a:genmei_mori:pseudoics:0.1:::::::*	3
Application	Technicolor Tg585 Router Firmware cpe:2.3:a:technicolor:tg585_router_firmware:7.4:::::::*	1
Hardware	Alcatel Speedtouch 5X6 Router cpe:2.3:h:alcatel:speedtouch_5x6_router::::::::	1
Hardware	Canyon-Tech Cn-wf512 cpe:2.3:h:canyon-tech:cn-wf512:-:::::::*	1
Hardware	Canyon-Tech Cn-wf514 cpe:2.3:h:canyon-tech:cn-wf514:-:::::::*	1
Hardware	Edimax 6114wg cpe:2.3:h:edimax:6114wg:-:::::::*	1
Hardware	Edimax Br-6104k cpe:2.3:h:edimax:br-6104k:-:::::::*	1
Hardware	Linksys wrt54g cpe:2.3:h:linksys:wrt54g:2.2:::::::* cpe:2.3:h:linksys:wrt54g::::::::	2
Hardware	Linksys wrt54gs cpe:2.3:h:linksys:wrt54gs:4.0:::::::* cpe:2.3:h:linksys:wrt54gs:3.0:::::::* cpe:2.3:h:linksys:wrt54gs:2.0:::::::* cpe:2.3:h:linksys:wrt54gs:1.0:::::::*	4
Hardware	Linksys wrt54gx cpe:2.3:h:linksys:wrt54gx:2.0:::::::*	1
Hardware	Sitecom Wl-111 cpe:2.3:h:sitecom:wl-111:-:::::::*	1
Hardware	Sitecom Wl-153 cpe:2.3:h:sitecom:wl-153:-:::::::*	1
Hardware	Sweex lb000021 cpe:2.3:h:sweex:lb000021:-:::::::*	1
Hardware	Technicolor Tg585 Router cpe:2.3:h:technicolor:tg585_router::::::::	1
Hardware	Zyxel P-330W Router cpe:2.3:h:zyxel:p-330w_router::::::::	1
Os	Broadcom Broadcom Linux cpe:2.3:o:broadcom:broadcom_linux::::::::	1
Os	Canyon-Tech Cn-Wf512 Router Firmware cpe:2.3:o:canyon-tech:cn-wf512_router_firmware:1.83:::::::*	1
Os	Canyon-Tech Cn-Wf514 Router Firmware cpe:2.3:o:canyon-tech:cn-wf514_router_firmware:2.08:::::::*	1
Os	Edimax 6114Wg Router Firmware cpe:2.3:o:edimax:6114wg_router_firmware:2.08:::::::* cpe:2.3:o:edimax:6114wg_router_firmware:1.83:::::::*	2
Os	Edimax Br-6104K Router Firmware cpe:2.3:o:edimax:br-6104k_router_firmware:3.21:::::::*	1
Os	Sitecom Wl-153 Router Firmware cpe:2.3:o:sitecom:wl-153_router_firmware:1.34:::::::* cpe:2.3:o:sitecom:wl-153_router_firmware:1.31:::::::*	2
Os	Sweex Lb000021 Router Firmware cpe:2.3:o:sweex:lb000021_router_firmware:3.15:::::::*	1

Open Source Vulnerability Database (OSVDB)

Id	Description
77438	Thomson (Technicolor) TG585 UPnP IGD AddPortMapping Action Remote Port Mappin... Thomson (Technicolor) TG585 contains a flaw related to the WAN interface's parsing of SOAP requests. The issue is triggered when a remote attacker uses a UPnP AddPortMapping action. This may allow a remote attacker to establish arbitrary port mappings.
77437	SpeedTouch 5x6 UPnP IGD AddPortMapping Action Remote Port Mapping Addition SpeedTouch 5x6 contains a flaw related to the WAN interface's parsing of SOAP requests. The issue is triggered when a remote attacker uses a UPnP AddPortMapping action. This may allow a remote attacker to establish arbitrary port mappings.
77436	Pseudo ICS ZyXEL P-330W UPnP IGD AddPortMapping Action Remote Port Mapping Ad... Pseudo ICS ZyXEL P-330W contains a flaw related to the WAN interface's parsing of SOAP requests. The issue is triggered when a remote attacker uses a UPnP AddPortMapping action. This may allow a remote attacker to establish arbitrary port mappings.
77435	Broadcom Linux Sitecom WL-111 UPnP IGD AddPortMapping Action Remote Port Mapp... Broadcom Linux Sitecom WL-111 contains a flaw related to the WAN interface's parsing of SOAP requests. The issue is triggered when a remote attacker uses a UPnP AddPortMapping action. This may allow a remote attacker to establish arbitrary port mappings.
77434	Edimax EdiLinux Multiple Product UPnP IGD AddPortMapping Action Remote Port M... Multiple Edimax EdiLinux products contain a flaw related to the WAN interface's parsing of SOAP requests. The issue is triggered when a remote attacker uses a UPnP AddPortMapping action. This may allow a remote attacker to establish arbitrary port mappings.
77432	Edimax EdiLinux Multiple Product UPnP IGD Shell Metacharacter Remote Command ...
77431	Cisco Linksys WRT54GX UPnP IGD SOAP Request Parsing Remote Firewall Manipulation
77329	Cisco Linksys Multiple Router Broadcomp UPnP IGD AddPortMapping Action Remote... Multiple Cisco Linksys routers contain a flaw related to the WAN interface's parsing of SOAP requests. The issue is triggered when a remote attacker uses a UPnP AddPortMapping action. This may allow a remote attacker to establish arbitrary port mappings.

Alert History

If you want to see full details history, please login or register.

Date	Informations
2013-05-11 00:57:02	Multiple Updates
2013-01-24 21:19:42	Multiple Updates

Global Informations

Type	Count
CWE ID(s)	8
CPE ID(s)	38
osvdb(s)	8

	Related
10	VU#922681
10	CVE-2011-4502
10	CVE-2011-4501
7.5	CVE-2011-4506
7.5	CVE-2011-4505
7.5	CVE-2011-4504
7.5	CVE-2011-4503
7.5	CVE-2011-4500
7.5	CVE-2011-4499
Info : listing not affected by your CVSS Env Score

Same Subject	Severity
Login to view 9 more Alert(s)