{"id":4533,"date":"2015-09-11T09:00:07","date_gmt":"2015-09-11T09:00:07","guid":{"rendered":"https:\/\/kasperskydaily.com\/b2b\/?p=4533"},"modified":"2019-11-15T07:02:05","modified_gmt":"2019-11-15T12:02:05","slug":"filet-o-firewall","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/filet-o-firewall\/4533\/","title":{"rendered":"Filet-o-Firewall: new vulnerabilities in UPnP expose the whole network"},"content":{"rendered":"<p>Routers are again becoming a source of cyberthreats as a new batch of security vulnerabilities in UPnP were publicized earlier this month. UPnP is a set of networking protocols widely used in home routers. Its purpose is to automatically discover devices on a network and interact with them.<\/p>\n<p>New vulnerabilities are reported to allow for an attack that takes less than 20 seconds; any router running UPnP is at risk, <a href=\"https:\/\/threatpost.com\/upnp-trouble-puts-devices-behind-firewall-at-risk\/114493\/\" target=\"_blank\" rel=\"noopener nofollow\">researchers said<\/a>.<\/p>\n<p><strong>Filet-o-Firewall<\/strong><\/p>\n<p>The new set of flaws received a somewhat funny name \u201cFilet-o-Firewall\u201d. What it allows is not\u00a0funny: <a href=\"https:\/\/threatpost.com\/upnp-trouble-puts-devices-behind-firewall-at-risk\/114493\/\" target=\"_blank\" rel=\"noopener nofollow\">according to Threatpost<\/a>, \u201cit combines a number of vulnerabilities and weaknesses in routing protocols and browsers, conspiring to expose networked devices behind a firewall to the open Internet.\u201d<\/p>\n<p>Essentially, the attack requires a specially crafted website that may cause a user who is running Chrome or Firefox browsers with JavaScript enabled to make arbitrary UPnP requests to their firewall, exposing any or even all devices behind a user\u2019s firewall directly to the Internet. It would, however, require additional effort to \u201cexcavate\u201d any data of interest to the hacker, but in case he or she is experienced enough, it\u2019s not rocket science to do that.<\/p>\n<p>Making users with a JavaScript-enabled browser visit an attacker\u2019s website is a relatively easy endeavor, too.<\/p>\n<p>It is important to mention that the vulnerability is reported to be \u201clogic-based\u201d: \u201cIt does not reside in a specific piece of code. It is a result of many different attacks combined into one and designed to target the UPnP service on home routers\u201d.<\/p>\n<p><strong>An important note from CERT<\/strong><\/p>\n<p>CERT\u2019s <a href=\"http:\/\/www.kb.cert.org\/vuls\/id\/361684\" target=\"_blank\" rel=\"noopener nofollow\">advisory <\/a>says the main problem is that home routers implementing the UPnP protocol don\u2019t sufficiently randomize UUIDs in UPnP control URLs, or implement other UPnP security measures.<\/p>\n<p>UPnP protocol, CERT note reads, \u201cwas originally designed with the threat model of being on a private network (not available to the WAN) restricted to only authorized users, and therefore does not by default implement authentication.\u201d<\/p>\n<p>A\u00a0big mistake. Later, there was a UPnP Security standard developed, but its support and deployment were \u201cextremely limited\u201d. The reason: \u201ccumbersome user experience\u201d and \u201clack of industry buy-in of advanced features such as Public Key Infrastructure\u201d.<\/p>\n<p>Let us read more: \u201cPoor adoption of the security standard may broadly open up opportunities for an attacker with private network access to guess the UPnP Control URLs for many devices currently on the market. If the guess is correct, the attacker may utilize UPnP to make changes to the home router\u2019s configuration such as opening ports and enabling services that allow an attacker further access to the network.\u201d<\/p>\n<p>And since many manufacturers use the standardized UPnP Control URL names a correct guess is very likely.<\/p>\n<p>In a case of success, an attack can open firewall ports and issue administrative commands on a router.<\/p>\n<p><strong>Not the first time<\/strong><\/p>\n<p>It\u2019s not the first time UPnP was the cause of severe headaches. Back in 2013, researchers took a look at the overall security status of the UPnP-enabled devices and discovered that of the 80 million devices responding to UPnP requests on the Web, up to 50 million were vulnerable to various attacks.<\/p>\n<p>Basically, UPnP is a security deficiency on its own.<\/p>\n<p><strong>Fix by amputation<\/strong><\/p>\n<p>There is no cure for the problem as of now; no full solution, only workarounds including the hard ones: Consider disabling UPnP services completely, unless they are absolutely necessary. Randomizing UPnP UUID and URLs would help, too.<\/p>\n<p>Home routers are occasionally used by small businesses and home offices, so it is\u00a0recommended to pay attention to both the problem and its workarounds.<\/p>\n<p>The list of affected devices is assembled <a href=\"http:\/\/www.filet-o-firewall.com\/p\/vulnerable-routers.html\" target=\"_blank\" rel=\"noopener nofollow\">here<\/a>; it is further recommended to employ additional protection tools such as Kaspersky Small Office Security to protect the network from attacks.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Routers are again becoming a source of cyberthreats as a new batch of security vulnerabilities in UPnP were publicized earlier this month.<\/p>\n","protected":false},"author":209,"featured_media":15370,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1999,3052],"tags":[473,422,2340,268],"class_list":{"0":"post-4533","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-smb","9":"tag-routers","10":"tag-threats","11":"tag-upnp","12":"tag-vulnerabilities"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/filet-o-firewall\/4533\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/filet-o-firewall\/4533\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/filet-o-firewall\/4533\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/threats\/","name":"threats"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/4533","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/209"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=4533"}],"version-history":[{"count":2,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/4533\/revisions"}],"predecessor-version":[{"id":30408,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/4533\/revisions\/30408"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/15370"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=4533"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=4533"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=4533"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}