Filet-O-Firewall exposes millions of home routers to attacks

The security vulnerability Filet-O-Firewall in UPnP is exposing millions of home networking devices at risk for cyber attacks.

According to a security advisory recently issued by the CERT at the Software Engineering Institute at Carnegie Mellon University, security vulnerabilities in UPnP are exposing millions of home networking devices at risk for cyber attacks.

The problem resides in the UPnP that lacks sufficient authentication mechanisms.

“Home routers implementing the UPnP protocol do not sufficiently randomize UUIDs in UPnP control URLs, or implement other UPnP security measures.” states the advisory.

“Poor adoption of the security standard may broadly open up opportunities for an attacker with private network access to guess the UPnP Control URLs for many devices currently on the market. If the guess is correct, the attacker may utilize UPnP to make changes to the home router’s configuration such as opening ports and enabling services that allow an attacker further access to the network. A correct guess is likely, due to many manufacturers’ use of standardized UPnP Control URL names.” 

The Filet-o-Firewall Vulnerability (CERT – VU#361684) could be exploited by attackers to cause a user who is running Chrome or Firefox with JavaScript enabled to make arbitrary UPnP requests to their firewall thereby opening their network to compromise. The attacker just needs to set up a specially crafted website hosting the exploit code, if a victim using either Chrome or Firefox visits it, and the browser is configured to run JavaScript, the attack will force the browser to make UPnP requests to their firewall, opening the network to attack.

Successful exploits of the Filet-o-Firewall allows attackers to open firewall ports and issue administrative commands on a home router.

As mitigation measure the CERT recommends to disable UPnP to randomizing UPnP UUID and URLs.

“An attacker that exploits the Filet-O-Firewall vulnerability would be able to expose any/all devices behind a user’s firewall directly to the internet,” says a summary on the Filet-o-Firewall site. “The process can be made nearly transparent to the end-user without the user installing or running any application.  The user must simply browse to the attacker’s website using an affected browser with JavaScript enabled.” states Harrelson in a blog post. “This vulnerability is logic based and does not reside in a specific piece of code.  It is a result of many different attacks combined into one and designed to target the UPnP service on home routers,” 

The advisory includes the list of affected devices, but Harrelson speculates that many other devices are affected by the Filet-O-Firewall vulnerability.

The security of the UPnP has been already questioned in the past by security experts, in October 2014 researchers at Akamai firm have issued a report on reflection and amplification DDoS attacks exploiting vulnerable UPnP devices worldwide. In 2013, HD Moore, CSO of the security firm Rapid7 published a study that showed that of 80 million devices responding to UPnP requests on the Internet, more than 50 million were vulnerable to cyber attacks.

Pierluigi Paganini

(Security Affairs – Filet-O-Firewall, UPnP)