Post by: kitz on April 13, 2018, 10:19:46 AM
Akamai reports that it has detected over 4.8 million SOHO routers which are vulnerable by exposing UPnP services via the WAN interface and of these have identified over 65,000 devices which have already been compromised.
Quote from: Akamai
The simple explanation of the vulnerability that lead to NAT injections, is that these devices expose services on their WAN interface that are privileged and meant to only be used by trusted devices on a LAN. Using these exposed services, an attacker is able to inject NAT entries into the remote device, and in some cases, expose machines behind the router while in other cases inject Internet-routable hosts into the NAT table, which causes the router to act as a proxy server.
A list of vulnerable routers is listed in the report, but notably a lot of ASUS models are affected including the DSL-AC68R, DSL-AC68U, DSL-N55U, DSL-N55U-B, RT-N66U etc
Refs:-
Akami (https://www.akamai.com/us/en/multimedia/documents/white-paper/upnproxy-blackhat-proxies-via-nat-injections-white-paper.pdf)
Bleeping Computer (https://www.bleepingcomputer.com/news/security/over-65-000-home-routers-are-proxying-bad-traffic-for-botnets-apts/)
Post by: kitz on April 13, 2018, 10:23:14 AM
ASUS
DSL-AC68R, DSL-AC68U, DSL-N55U, DSL-N55U-B,
MTK7620, RT-AC3200, RT-AC51U, RT-AC52U, RT-AC53,
RT-AC53U, RT-AC54U, RT-AC55U, RT-AC55UHP, RT-
AC56R, RT-AC56S, RT-AC56U, RT-AC66R, RT-AC66U,
RT-AC66W, RT-AC68P, RT-AC68R, RT-AC68U, RT-AC68W,
RT-AC87R, RT-AC87U, RT-G32, RT-N10E, RT-N10LX, RT-
N10P, RT-N10PV2, RT-N10U, RT-N11P, RT-N12, RT-N12B1,
RT-N12C1, RT-N12D1, RT-N12E, RT-N12HP, RT-N12LX,
RT-N12VP, RT-N14U, RT-N14UHP, RT-N15U, RT-N16, RT-
N18U, RT-N53, RT-N56U, RT-N65R, RT-N65U, RT-N66R,
RT-N66U, RT-N66W, RTN13U, SP-AC2015, WL500
Belkin
F5D8635-4 v1, F9K1113 v5
DrayTek Corp.
Vigor300B
NETGEAR
R2000, WNDR3700, WNDR4300v2, WNR2000v4
ZyXel
Internet Center, Keenetic, Keenetic 4G, Keenetic DSL,
Keenetic Giga II, Keenetic II, Keenetic Lite II, Keenetic
Start, NBG-416N Internet Sharing Gateway, NBG-418N
Internet Sharing Gateway, NBG4615 Internet Sharing
Gateway, NBG5715 router, X150N Internet Gateway
Device
Post by: kitz on April 13, 2018, 10:24:51 AM
Quote from: Akami
If a device is affected by this vulnerability, there are only a few options for mitigation. The first would be to replace
the device with something else that you’ve confirmed is not vulnerable to these types of attacks. If replacing the
device is not an option, it is typically possible to disable UPnP services on the device. However, this could have
impacts in other areas of your network, such as gaming or media streaming.
In cases where neither of these options work, deploying a firewall in front of your affected device and blocking
all inbound traffic to UDP port 1900 will prevent the information leaks that make TCP daemon discovery possible.
If your device is already compromised, this would still allow proxy injection and proxy usage. Manually removing
these injections would stop proxy usage, but would not prevent future injections from happening, making this
solution a game of whack-a-mole
Post by: broadstairs on April 13, 2018, 10:43:27 AM
Stuart
Post by: kitz on April 13, 2018, 11:07:58 AM
Port 1900 (https://www.grc.com/port_1900.htm)
Port 5000 (https://www.grc.com/port_5000.htm)
Post by: Deathstar on April 13, 2018, 11:20:30 AM
(DSL-AC68U)Post by: roseway on April 13, 2018, 12:23:33 PM
Post by: banger on April 13, 2018, 12:31:29 PM
Post by: broadstairs on April 13, 2018, 01:16:09 PM
UPNP test passed and Stealth on 1900 and 5000 on an Asus DSL-N55U. Hmmm.
Tim you must have UPNP turned off.
Stuart
Post by: Ronski on April 13, 2018, 02:20:24 PM
What's the implications of turning off UNPNP?
ETA. Actually port 5000 is something to do 3CX as its forwarded to that.
Post by: tubaman on April 13, 2018, 06:13:50 PM
Post by: Ronski on April 13, 2018, 06:56:02 PM
Post by: banger on April 13, 2018, 07:20:35 PM
Tim you must have UPNP turned off.
Stuart
Not that I am aware Stuart although I am using V9 of Asus firmware which has had some security updates. Log shows uPNP is enabled.
Post by: broadstairs on April 13, 2018, 08:06:43 PM
Not that I am aware Stuart although I am using V9 of Asus firmware which has had some security updates. Log shows uPNP is enabled.
OK then I suspect they may have fixed it. Interestingly I checked my Netgear D6220 and it has UPNP enabled but both ports WAN side show stealth.
Stuart
Post by: banger on April 13, 2018, 10:02:25 PM
Post by: broadstairs on April 14, 2018, 07:41:11 AM
Stuart
Post by: Chrysalis on April 14, 2018, 12:31:22 PM
Ronski implications are is any port forwarding has to be done manual, something I have always done anyway.
Post by: banger on April 14, 2018, 07:46:09 PM
To be honest I dont see why UPNP should ever be enabled on the WAN side on a home router, yes it can be needed on the local lan side. Does sound like your router f/w has fixed this. I do also wonder if your ZyXEL in bridge mode has something to do with this? I wonder what you might see if the ASUS was running as a single box?
Stuart
Good point it had ocurred to me that many router may still be running with old firmware and not behind a bridge modem router. I am happy that stealth is indicated as I have two spare DSL-N55U's just in case the original goes pop wasn't looking forward to replacing them although I do have a ZyXel 3925 which would do the trick.
Tim
Post by: sevenlayermuddle on April 15, 2018, 03:05:25 PM
UPNP is my first thing I turn off on any new router.
Ronski implications are is any port forwarding has to be done manual, something I have always done anyway.
Agreed, I also always disable UPnP over port forwarding concerns. If port forwarding were needed I’d want know about it, and configure it manually. Actually though I go further... if an application,game or gadget requires port forwarding, I simply refuse to use that application,game or gadget. There may come a day when I need to give in, but so far so good - no port forwarding at all. :fingers:
Post by: niemand on April 15, 2018, 07:31:15 PM
Do you guys that disable it as a matter of routine have static rules for your packet filtering or do you use a stateful firewall?
Post by: snadge on April 15, 2018, 07:45:09 PM
Stealthed on 1900 & 5000
- BT Home Hub 5B
- rev v0.07.06.01239-BT
Post by: sevenlayermuddle on April 15, 2018, 08:52:06 PM
Perfectly happy to use UPNP. No excuse for it to be exposed on WAN side. Presents minimal risk other than that. Plenty of ways for malware or a bad actor to get a bidirectional link without it once on the LAN.
Do you guys that disable it as a matter of routine have static rules for your packet filtering or do you use a stateful firewall?
My take is...
All software has bugs and vulnerabilities, and that includes the protocol parsing software that processes incoming traffic. Often, that parsing is performed in OS kernel, making that software especially vulnerable. Maliciously crafted packets could take advantage of such bugs, and get to do very bad things on the destination.
Even without port forwarding it is still possible, of course, to be in receipt of a malicious data packets but generally, you need to have started the conversation. With port forwarding, the bad guys can very precisely target their malicious traffic at a personal level, right through to your OS (or your games console, or webcam, or whatever) anytime they like, just by sending it unsolicited to your IP.
That is why I have always refused to allow port forwarding.
Post by: niemand on April 15, 2018, 09:40:08 PM
If the people who write the software are incompetent enough that they have random services listening on the WAN side UPNP is probably the least of the concerns. Unsolicited attacks as you describe require knowledge of the devices on the LAN side anyway. If the gateway is doing its job properly these should not be exposed.
Regardless forwarding any ports at all carries a risk, whether static or dynamic.
That is why I'm fine with UPNP. It's a very useful application that reduces the need for manual configuration for each device behind the NAT.
Obviously if you're the kind of person that has static IPs or IP reservations for every device on your network it's a natural extension of that, but working with this stuff I try and keep my configuration at home to a minimum of complexity, which means UPNP gets to play. So far I've not noted any compromise :)
Incidentally I do appreciate what you're saying about UPNP.
Quote
MiniUPnP < 1.4 Multiple Vulnerabilities
Description
According to its banner, the version of MiniUPnP running on the remote host is prior to 1.4. It is, therefore, affected by the following vulnerabilities :
- An out-of-bounds read error exists in the ProcessSSDPRequest() function in file minissdp.c that allows an unauthenticated, remote attacker to cause a denial of service condition via a specially crafted M-SEARCH request. (CVE-2013-0229)
- A stack-based buffer overflow condition exists in the ExecuteSoapAction() function in the SOAPAction handler, due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this, via a long quoted method, to cause a denial of service condition or the execution of arbitrary code.
(CVE-2013-0230)
Solution
Upgrade to MiniUPnP version 1.4 or later.
Post by: Chrysalis on April 15, 2018, 11:54:37 PM
upnp when implemented properly is fine, but i just prefer to not chance it on a feature i dont use. any enabled unused feature is a potential attack vector.