information about () in the UPnP protocol, which allows organizing the sending of traffic to an arbitrary recipient using the SUBSCRIBE operation provided for in the standard. Vulnerability has been codenamed . The vulnerability can be used to extract data from networks protected by data leakage prevention (DLP) systems, organize port scanning of computers on the internal network, and also to amplify DDoS attacks using millions of UPnP devices connected to the global network, such as cable modems, home routers , game consoles, IP cameras, set-top boxes, media centers and printers.
Problem The fact that the “SUBSCRIBE” function provided in the specification allows any external attacker to send HTTP packets with the Callback header and use the UPnP device as a proxy to send requests to other hosts. The "SUBSCRIBE" function is defined in the UPnP specification and is used to track changes to other devices and services. Using the Callback HTTP header, you can define an arbitrary URL to which the device will set a connection attempt.
Almost all UPnP implementations based on released before April 17th. Including the presence of a vulnerability in an open bag with the implementation of a wireless access point (WPS AP). The fix is currently available as . In distributions, updates have not yet been released (, , , , , , ). Problem also solutions based on open UPnP stack , for which no patch information is available yet.
The UPnP protocol defines a mechanism for automatically discovering and interacting with devices on a local network. At the same time, the protocol was originally designed for use in internal local networks and does not provide for any forms of authentication and verification. Despite this, millions of devices do not disable UPnP support on external network interfaces and for requests from the global network. The attack can be carried out through any similar UPnP device.
For example, Xbox One consoles can be attacked through network port 2869, as they allow changes such as sharing content to be monitored through the SUBSCRIBE command.
The Open Connectivity Foundation (OCF) was notified of the issue late last year, but initially refused to consider it a vulnerability in the specification. After a second, more detailed report, the problem was acknowledged and a prescription was added to the specification to use UPnP only on LAN interfaces. Since the problem is caused by a flaw in the standard, it may take a long time to fix the vulnerability in individual devices, and firmware updates may not appear for older devices.
As a security workaround, it is recommended to isolate UPnP devices from external requests with a firewall, block external "SUBSCRIBE" and "NOTIFY" HTTP requests on attack prevention systems, or disable UPnP on external network interfaces. Manufacturers are advised to disable the SUBSCRIBE feature in the default settings and limit it to only accept requests from the internal network when enabled.
To test the vulnerability of their devices a special toolkit written in Python and distributed under the MIT license.
Source: opennet.ru