Difference between revisions of "UPnP vulnerabilities"

From Embedded Lab Vienna for IoT & Security
Jump to navigation Jump to search
Line 49: Line 49:
<references>
<references>


<ref>https://www.upguard.com/blog/what-is-upnp</ref>
<ref name="upguard">https://www.upguard.com/blog/what-is-upnp</ref>
<ref>https://openconnectivity.org/upnp-specs/UPnP-arch-DeviceArchitecture-v2.0-20200417.pdf</ref>
<ref name="devicearch">https://openconnectivity.org/upnp-specs/UPnP-arch-DeviceArchitecture-v2.0-20200417.pdf</ref>
<ref>https://github.com/yunuscadirci/CallStranger/blob/master/CallStrangerhttps://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=upnp</ref>
<ref name="gitcallstranger">https://github.com/yunuscadirci/CallStranger/blob/master/CallStrangerhttps://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=upnp</ref>
<ref>https://www.fbi.gov/news/stories/cyber-tip-be-vigilant-with-your-internet-of-things-iot-devices</ref>
<ref name="fbi">https://www.fbi.gov/news/stories/cyber-tip-be-vigilant-with-your-internet-of-things-iot-devices</ref>
<ref>https://openconnectivity.org/developer/specifications/upnp-resources/upnp/standards</ref>
<ref name="ocf">https://openconnectivity.org/developer/specifications/upnp-resources/upnp/standards</ref>
<ref>An Overview of UPnP-based IoT Security: Threats, Vulnerabilities, and Prospective Solutions; Golam Kayas, Mahmud Hossain, Jamie Payton, S. M. Riazul Islam; 2020</ref>
<ref name="iot">An Overview of UPnP-based IoT Security: Threats, Vulnerabilities, and Prospective Solutions; Golam Kayas, Mahmud Hossain, Jamie Payton, S. M. Riazul Islam; 2020</ref>
<ref>https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=upnp+sdk</ref>
<ref name="sdk">https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=upnp+sdk</ref>
<ref name="callstranger">https://www.helpnetsecurity.com/2020/06/09/cve-2020-12695/</ref>
<ref name="callstranger">https://www.helpnetsecurity.com/2020/06/09/cve-2020-12695/</ref>



Revision as of 22:58, 4 January 2022

Summary

This document is about the general vulnerability and also about two well-known vulnerabilities of the UPnP protocol.

UPnP

UPnP is a protocol stack which allows devices to connect to a network withouth further manual configuration. The automatic configuration by the UPnP protocol includes IP address assignment, port forwarding and eventing. This is done with a networking architecture which uses the TCP/IP protocol as well as other internet protocols like HTTP and DHCP. In a UPnP Network there are always one or more control devices (e.g. a router) and one or more service devices. (e.g. Smartphones, Printers, Smart Home Devices, etc.) This makes UPnP an easy and flexible way to provide connectivity in a network.

UPnP Vulnerability

There are many known vulnerabilities and security risks when talking about the UPnP Standard. On the Common Vulnerability and Exposure (CVE) website 130 different known vulnerabilities with the keyword ̈UPnPcan be found. Also, some known state institutions, like the FBI have publicly recommended to disable UPnP in general. The reason, according to the FBI Webpage, is that there are UPnP exploits which allow access to different IoT devices. Not only these known vulnerabilities make security such an important issue when talking about UPnP. The standard has also some general vulnerabilities by design. In some steps in UPnP networking there is no verification, integrity check or access control. There are also some UPnP SDKs which can be exploited.

CallStranger Attack

In attack type, malicious actors send UPnP SUBSCRIBE requests to a target in which the CALLBACK header value is modified. The CALLBACK head value indicates to which machine the answer should be send to. With this vulnerability the callbacks could be directed anywhere. This attack could allow: • Scanning of internal ports • Reflected or amplified DDoS attacks • Bypassing DLP and network security to exfiltrate data The “CallStranger” Attack was fixed in April 2019

Upnp callstranger.jpg[1]

UPnP Flash Attack

This attack type is starting off with the victim opening a malicious SWF (Adobe Flash Player) file in the browser. This starts a silent attack which sends UPnP requests to the victim’s browser. These requests could open ports on the victim’s computer or change the primary DNS-Server of the victim. The UPnP Flash Attack is still not fixed and thus, it is still possible to carry out this attack.

Mirai Botnet

A real-world example of a large-scale UPnP attack is the Mirai Botnet which was discovered in 2018. In this attack hundreds of thousands of routers over the internet where scanned and the attack software was searching for exposed Telnet ports which were added by UPnP. The Attackers BruteForced the default passwords of the devices and added these to the botnet. The botnet was then used to start large-scale DDoS attacks which shut down some target servers. A depiction of a simplified DDoS Attack with the Mirai Botnet can be seen in the picture below.

Mirai-botnet-diagram.png

Courses

References

Cite error: <ref> tag with name "upguard" defined in <references> is not used in prior text.
Cite error: <ref> tag with name "devicearch" defined in <references> is not used in prior text.
Cite error: <ref> tag with name "gitcallstranger" defined in <references> is not used in prior text.
Cite error: <ref> tag with name "fbi" defined in <references> is not used in prior text.
Cite error: <ref> tag with name "ocf" defined in <references> is not used in prior text.
Cite error: <ref> tag with name "iot" defined in <references> is not used in prior text.
Cite error: <ref> tag with name "sdk" defined in <references> is not used in prior text.