[WXC/VFX] UPnP available WAN-side and not blocked by XNet

Forums › One New Zealand (including Vodafone, WxC, Farmside) › [WXC/VFX] UPnP available WAN-side and not blocked by XNet

Guf

4 posts

Wannabe Geek

#114301 15-Feb-2013 09:22

http://watchguardsecuritycenter.com/2013/01/31/h-d-moore-unveils-major-upnp-security-vulnerabilities/

http://www.grc.com/securitynow.htm#389

81 million publically routable IPv4 endpoints have UPnP (which only makes sense LAN-side) open on the WAN side, and worse, most of those have a copy of the reference implementation with next to no security in it, thereby allowing a single UDP packet over 1900 to take over the router.

XNet's previously recommended hardware is among those affected, in particular the WAG310G, which also looks like it might also have it's admin portal open WAN-side too!

Various honeypot machines are seeing a daily increase in probes against this port - the threat is very real and definitely increasing!

Use the ShieldsUp service at grc.com ( https://www.grc.com/x/ne.dll?bh0bkyd2 ) to check if you are vulnerable, as it has a specific test for this.

If you are, join in the pressure to get XNet to block UDP:1900 as it is very unlikely the router makers are going to move fast on this as it'd involve admitting liability.

And should they release an update, how many affected customers would actually be able to successfully apply a firmware update - how many would just call it too hard..?

sbiddle

30853 posts

Uber Geek

Retired Mod

Trusted

Biddle Corp

Lifetime subscriber

#762838 15-Feb-2013 10:00

If you have a voice device from WxC that's auto provisioned any firmware updates can be applied automatically by them.

The big question is whether Cisco / Linksys will release an update..

Guf

4 posts

Wannabe Geek

#762850 15-Feb-2013 10:19

IIRC I purchased this hardware in a shop, as it was the recommended option, but I'm not certain of that.

In that case, it having WAN-side admin portal open makes some sense tho.

Specifically, FTP, HTTP and HTTPS are wide open on it, along with UCP:1900 and also the TCP port that it says to connect to for the UPnP SOAP interface; even tho the UPnP query response puts that against the internal IP it's open externally, and all this while the UI's checkbox for UPnP is set to Disabled!

Guf

4 posts

Wannabe Geek

#772414 1-Mar-2013 18:09

I have discovered that if I set up my router to DHCP a certain range but have a DMZ IP outside that range (i.e. a black hole DMZ), the UPnP port is no longer accessible, thus meaning my router is no longer vulnerable to the flaw it has.

I have also reconsidered my request to block UDP1900 at the ISP, as I have remembered that it is not a service port (0-1024) and thus not solely used for UPnP.

I strongly suggest that if you have a vulnerable router, such as the WAG310G, recommend to all users of those to do as I have done. To find out, visit grc.com and use the Shields Up service there as it has a specific test for this.