Many home routers / firewall appliances support UPnP. UPnP is intended to allow hosts on the network to auto-configure the router. For example, some network cameras will configure the router automatically to allow access to the camera from the outside. Typcially, the camera will send UPnP messages to find the router and then request it to open a port and redirect all traffic on that port to the camera's build in web server.
Standard hardening guides will recommend to turn off UPnP.
A recent post on Securityview.org outlines that even though a security model was defined for UPnP, it is not used. Any workstation on the local network will be able to configure the UPnP capable device "at will". Even worse: Port mapping does not check if you actually redirect a port to an internal host in some cases.
Short lesson: If you haven't yet, turn off UPnP. If you need UPnP, make sure you got the latest firmware as it may eliminate some of the worst issues (e.g. rerouting to an external host). You should at least log UPnP messages with an IDS (e.g. snort, or even tcpdump will do fine). The nice thing is that the UPnP messages are pretty easily readable.
Thanks to John Herron for pointing us to the Securityview site.
I will be teaching next: Intrusion Detection In-Depth - SANS Las Vegas Spring 2020
May 18th 2006
1 decade ago