Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: UPnP Problems - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
UPnP Problems
Many home routers / firewall appliances support UPnP. UPnP is intended to allow hosts on the network to auto-configure the router. For example, some network cameras will configure the router automatically to allow access to the camera from the outside. Typcially, the camera will send UPnP messages to find the router and then request it to open a port and redirect all traffic on that port to the camera's build in web server.

Standard hardening guides will recommend to turn off UPnP.

A recent post on outlines that even though a security model was defined for UPnP, it is not used. Any workstation on the local network will be able to configure the UPnP capable device "at will". Even worse: Port mapping does not check if you actually redirect a port to an internal host in some cases.

Short lesson: If you haven't yet, turn off UPnP. If you need UPnP, make sure you got the latest firmware as it may eliminate some of the worst issues (e.g. rerouting to an external host). You should at least log UPnP messages with an IDS (e.g. snort, or even tcpdump will do fine). The nice thing is that the UPnP messages are pretty easily readable.

Thanks to John Herron for pointing us to the Securityview site.
I will be teaching next: Application Security: Securing Web Apps, APIs, and Microservices - SANS London June 2022


4469 Posts
ISC Handler
May 18th 2006

Sign Up for Free or Log In to start participating in the conversation!