Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[titan3025]

Hi

I read that there is a severe security flaw out there with regards to the UPNP implementation of millions of home user routers.

https://community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play

I assume we are also affected with our 825. Any idea if we will get a fix? Scary somehow.

Titan3025

[FurryNutz]

Acutually there has been known issues with uPnP for a long time now.

http://www.grc.com/unpnp/unpnp.htm

For the 10 years I've been working with routers in a home setting, I've never seen much of any issues regarding uPnP. Especially in a home or small business setting. I personally feel that if something is going to happen, it's going to be on a bigger scale directed towards bigger companies, enterprise networks, government and military networks rather than our mom and pop house holds. Not much information to gleam from us here. Thats not to discount that it could happen however.

I'll get this over to D-Link for there review and see if anything comes up.

I recommend that if your really concerned about it, just disable uPnP on the router under Advanced/Adv Networking and you should sleep better at night. I also recommend that you phone contact Dlink support, ask for level 3 or higher support in regards to this to see if they can provide you with any information.


Let us know what they say.

[ThatOtherGuy]

Your reply makes it look like you did not read up on the topic. Yes for the last 10 or so years upnp never had an exploit like this. This changed though the exploit allows the router to be configured form the outside. Attacks using it could be aimed at a company but the way its going on now is with scanning of ip blocks to see what routers are vulnerable. The tools can then log what routers are vulnerable and spit out a log or do other things like run scripts ect.

I can't blame you for not knowing much on the topic but its the attitude of "well nothing bad ever happened" Is what leaves company's and individuals open to attack by very simple means.

The very least they should do is inform people to disable UpNp on all of the dlink routers effected until they can fix the problem. Keeping quite about it and doing nothing wont make it go away and if it stays that way and millions of people get hacked and dlinks name gets dragged through the mud for not acting when they had the chance it will be too late.

[FurryNutz]

One way to get them more involved would be to contact them on the phone and say something. 

[FurryNutz]

 D-Link Security Advisory Information

[FurryNutz]

"Publication ID: SAP10036
Resolved Status: Yes
Published on: 3 July 2014 1:10 GMT
Last updated on: 21 August 2014 10:47 GMT
Overview
 
Universal Plug and Play (UPnP) is a set of networking protocols that permits networked devices, such as personal computers, printers, Internet gateways, Wi-Fi access points and mobile devices to seamlessly discover each other's presence on the network and establish functional network services for data sharing, communications, and entertainment.

D-Link deploys firmware that has UPnP feature support on our devices. The UPnP features are enabled by software developer kits - Intel, Portable, and miniUPnP.

In January 2013, it was discovered that the following UPnP versions may have a security vulnerability that could cause devices to become unstable, impair functionality, or disclose the services the devices offers (i.e. network camera feed):
All Versions of Intel SDK
Version of Portable SDK prior to V. 1.6.18
Version of MiniUPnP SDK prior to V. 1.1
Security and performance is of the utmost importance to D-Link across all product lines, including networking, surveillance, storage and entertainment solutions.

The company is currently assessing the recent findings surrounding UPnP technology and whether any D-Link products are susceptible to vulnerabilities. 
 
We are currently updating our Vendor responses at US-CERT (US Computer Emergency Readiness Team) for the support CVEs (Common Vulnerabilities and Exposures).

We also discourage the use of industry-available tools available to the public because of the number of false-negatives and false-positives. This potential vulnerability is complex and requires deeper inspection and replacement of the recommend SDK stated in the CVEs. "

D-Link Current uPnP Security Status