Are you vulnerable to the latest UPnP security flaws? ScanNow for UPnP reveals all
Rapid7 – the security company behind vulnerability scanner Metasploit – has released details on three security flaws affecting some Universal Plug and Play implementations. And their research indicates that 40 to 50 million IPs are vulnerable to at least one of those vulnerabilities, which the company says is exposing users “to remote attacks that could result in the theft of sensitive information”.
Could you be vulnerable? Fortunately Rapid7 has provided a free Windows-based tool, ScanNow for Universal Plug and Play, to help you find out.
The program is portable, as you’d expect – no need for installation here. And it’s relatively easy to use. After registering your use of the program by providing your email address, all you have to do is provide the IP range you’d like to scan (ScanNow detects and provides sensible defaults) and then wait as it checks your network.
Once the process has finished you’ll see the ScanNow report. This starts by detailing the vulnerabilities it’s been looking for, so you’ll need to scroll down to the more interesting “Overview of Results”, which will reveal the number of network devices detected and how many of these were flagged as “Exploitable”.
And the “Result Details” section then lists which IP addresses have a detected device, and which of these appears to be vulnerable to the new security holes.
If it turns out you have an exploitable device then don’t panic just yet, it’s not necessarily a total disaster. If the device can’t be accessed from outside of your network, for instance, then it’s not going to get hacked.
When a device is facing the internet, though, you should definitely look at disabling its UPnP implementation. And arguably if you don’t need the technology then it’s a good idea to do this anyway (UPnP has had plenty of vulnerabilities discovered before, and we’ve no doubt others will appear in the future). Check your hardware documentation for more details.
And it may also be worth monitoring your network hardware manufacturer’s websites over the next few days to pick up on any response. Right now, for instance, Cisco have posted a Security Advisory for Cisco products, and a Knowledge Base article which details Linksys products known to be affected, and what to do about this. And we’ve no doubt that further responses will be appearing very soon.