UPnP has been the target of other attacks in the past and now we see it being targeted again perhaps because of recent console remote play popularity. Regardless of the why, it is happening, and it is a problem. According to researchers at Akami, there are threat actors that are specifically targeting routers with the UPnP feature enabled. Though the use of a script they developed, they were able to identify a large number of vulnerable routers with many returning indications that they are already infected.
What the attackers are doing is getting the exposed UPnP feature top set up port-forwarding entries automatically so they can reach inside a target’s network. According to Akami this new vulnerability also gets around network segmentation as it is setting up the forwarding rules at the router level. This vulnerability can also be used to set up your firewall as a proxy. It means that an attacker can bounce traffic off your router to another or to their target.
The attack leverages a data leak in the Simple Service Discovery Protocol. When an attacker sends a request to a target router that is vulnerable to this type of attack, they can get back information about the UPnP daemon. The data that is leaked contains an xml file that contains information about services offered by the device. Normally this information should only be visible to internal IP addresses, but due to flawed implementations of UPnP it gets exposed to a would-be attacker. If the attacker gets the return they are looking for (access to and ability to read the target xml file) they can send a SOAP/XML payload to add their own NAT and Port Forward data into the UPnP list.
After adding in the new NAT and PAT rules, the threat actor can access the login page of the router or internal assets on the new exposes network segments. In many consumer and SMB devices this can lead to a significant compromise as they have single segments or expose all their Lan segments at the edge of their network (no routing is performed after the router/firewall). Once the attackers have access to the firewall/router and the internal network they can look for vulnerabilities that exist on those devices.
Currently Akami believes that unpatched SMB services will be the most likely targets, but there are many other uses for this including the previously mentioned proxy network for APT groups to leverage during their campaigns. The list of affected products is quite large and covers many popular brands from Belkin, D-Link, NETGEAR, Ubiquiti and even a model of HP printer with a built-in wireless router. This is another “patch/mitigate now” vulnerability to add to the list piling up in 2022.