February 7, 2013 at 13:32Critical vulnerability in many routers of various vendors
As previously reported , DefenseCode discovered a zero-day vulnerability in Cisco Linksys routers. Representatives of the company notified the vendor and took a timeout for a couple of weeks before revealing the details of the vulnerability. Time passed, some details were revealed and it turned out that not only Cisco Linksys was vulnerable.
We are talking about several vulnerabilities that lie in a number of implementations of the UPnP and SSDP protocol (based on Intel / Portable UPnP SDK and MiniUPnP SDK):
Vulnerabilities can cause a denial of service or execute arbitrary code on the device without authorization. And since many routers interact with UPnP through the WAN, this makes them vulnerable not only to attacks from the local network, but also from remote networks. Those. from virtually any Internet computer. Not only routers, but generally any equipment using UPnP may be vulnerable: printers, media servers, IP cameras, NAS, smart TV, etc. Those. we are talking about millions of devices!
Company rapid7 released a scanner to check their devices for vulnerabilities. Online version is available here .
I got lucky. And you?
The IP address from which the user came is checked. Those. Enter an arbitrary address for verification does not work.
The offline version of the vulnerability scanner can be downloaded here . This scanner supports only Microsoft Windows. Mac OS X and Linux users can use Metasploit for this purpose. An example of using Metasploit:
The answer will be something like this: At the moment, it is known that TP-LINK has released a beta version of the firmware , which closes the vulnerability in the TD-W8960N hardware. By the end of February, they plan to release official firmware. As a temporary measure, it is recommended that you turn off UPnP support on network equipment. Related links: 1. List of devices where vulnerabilities are confirmed 2. Rapid7 vulnerability report in UPnP 3. DefenseCode vulnerability report in UPnP UPD: and today it became known about Regular zero-day vulnerabilities in various routers
Here are just some of the vendors where the vulnerability is present
- Broadcom
- Asus
- Cisco
- TP-Link
- Zyxel
- D link
- Netgear
- US Robotics
We are talking about several vulnerabilities that lie in a number of implementations of the UPnP and SSDP protocol (based on Intel / Portable UPnP SDK and MiniUPnP SDK):
CVE List
- CVE-2012-5958
- CVE-2012-5959
- CVE-2012-5960
- CVE-2012-5961
- CVE-2012-5962
- CVE-2012-5963
- CVE-2012-5964
- CVE-2012-5965
- CVE-2013-0229
- CVE-2013-0230
Vulnerabilities can cause a denial of service or execute arbitrary code on the device without authorization. And since many routers interact with UPnP through the WAN, this makes them vulnerable not only to attacks from the local network, but also from remote networks. Those. from virtually any Internet computer. Not only routers, but generally any equipment using UPnP may be vulnerable: printers, media servers, IP cameras, NAS, smart TV, etc. Those. we are talking about millions of devices!
Company rapid7 released a scanner to check their devices for vulnerabilities. Online version is available here .
I got lucky. And you?
The IP address from which the user came is checked. Those. Enter an arbitrary address for verification does not work.
The offline version of the vulnerability scanner can be downloaded here . This scanner supports only Microsoft Windows. Mac OS X and Linux users can use Metasploit for this purpose. An example of using Metasploit:
$ msfconsole
msf>
msf> use auxiliary / scanner / upnp / ssdp_msearch
msf auxiliary (ssdp_msearch)> set RHOSTS 192.168.0.0/24
msf auxiliary (ssdp_msearch)> run
The answer will be something like this: At the moment, it is known that TP-LINK has released a beta version of the firmware , which closes the vulnerability in the TD-W8960N hardware. By the end of February, they plan to release official firmware. As a temporary measure, it is recommended that you turn off UPnP support on network equipment. Related links: 1. List of devices where vulnerabilities are confirmed 2. Rapid7 vulnerability report in UPnP 3. DefenseCode vulnerability report in UPnP UPD: and today it became known about Regular zero-day vulnerabilities in various routers
[*] 192.168.0.9:1900 SSDP Net-OS 5.xx UPnP/1.0 | 192.168.0.9:3278/etc/linuxigd/gatedesc.xml
[+] 192.168.0.254:1900 SSDP miniupnpd/1.0 UPnP/1.0 | vulns:2 (CVE-2013-0229, CVE-2013-0230)