Flash UPNP attack vector
GNUcitizen has issued a blog posting regarding a new method of exploiting UPNP-enabled devices - by having a user access a malicious SWF file. The group was able to identify how Flash can be used to generate an URLRequest to a UPNP control point, allowing an external party to reconfigure that device.
One limiting factor is that the IP address of the router needs to be known, but on most end user networks this is trivial: these machines are within well known private ranges and are generally at the .1 or .254 end of the spectrum. With further review and information pending, we suggest evaluating (as with any piece of functionality) whether there is a legitimate need to have UPNP enabled on affected devices. Some guidance from the US-CERT can be found here.
Comments