UPnP deixa milhões de dispositivos vulneráveis

Algumas implementações do Universal Plug and Play (UPnP) têm vulnerabilidades que permitem exploração remota. Um excerto da notícia na ZDnet:

According to the security team at Rapid7, technology used worldwide in both routers and standard networking equipment is making it possible for hackers to potentially infiltrate approximately 40 million to 50 million devices worldwide.

The vulnerability lies in the standard known as Universal Plug and Play (UPnP). This standard set of networking protocols allows devices, such as PCs, printers, and Wi-Fi access points, to communicate and discover each other's presence. After discovery, devices can be connected through a network in order to share files, printing capability, and the Internet.

In a white paper released today, researchers from the security software maker said that while UPnP might make network setup cheaper and more efficient, it harbours a severe security risk.

The paper focuses on programming flaws in common UPnP discovery protocol (SSDP) implementations, which can be exploited to crash the service and execute arbitrary code, the exposure of the UPnP control interface (SOAP) on private networks, and programming flaws in both UPnP HTTP and SOAP overall.

Over 80 million unique IPs were identified that responded to UPnP discovery requests from the Internet due to the "misconfiguration" of the UPnP SSDP discovery service across thousands of products. Over 73 percent of all UPnP instances discovered through SSDP were derived from only four software-development kits (SDKs).

In addition, the UPnP SOAP service was found to provide access to device functions that should not be allowed from distrusted networks--such as opening holes in a firewall.

Rapid7 also said that the two most commonly used UPnP software libraries both contain remotely exploitable vulnerabilities. For example, in the case of the Portable UPnP SDK, "over 23 million IPs are vulnerable to remote code execution through a single UDP packet." A patch has been released, but it will take a long time before this patch is included in vendor products, according to the firm.

Notícia completa na ZDnet. Outra notícia sobre o assunto na ZDnet: Homeland Security levou o alerta a sério.