New UPnP exploit - for the love of God, disable UPnP!

Networking and broadband talkabout. Need help with that new router or setting up a network?
Post Reply
User avatar
FlyingPenguin
Flightless Bird
Posts: 32773
Joined: Wed Nov 22, 2000 11:13 am
Location: Central Florida
Contact:

New UPnP exploit - for the love of God, disable UPnP!

Post by FlyingPenguin »

I've been saying it for years. Steve Gibson's been saying it even longer. Disable UPnP. It's a stupid, unsecure protocol.

Most modern games and software don't require open ports anymore (they do handshaking via a cloud service). The only exception is if you want to host a server on own PC, and if you're going to do that then you should learn how to setup manual port forwards on your router.

https://lifehacker.com/disable-upnp-on- ... 1844012366
"Turns out I’m 'woke.' All along, I thought I was just compassionate, kind, and good at history. "

Image
User avatar
Executioner
Life Member
Posts: 10133
Joined: Wed Nov 22, 2000 11:34 am
Location: Woodland, CA USA

Re: New UPnP exploit - for the love of God, disable UPnP!

Post by Executioner »

I have Malwarebytes Premium, and when I launch TF2 from Steam, I get a warning about a Trojan. It's identified as a RTP Detection - website blocked. According to this search I did, they responded:
These are web blocks, meaning that some of the servers on the TF2 server list are on IPs that we have identified to host malware. This is common for server based games like this and for other kinds of programs. Since you can still play normally, I wouldn't worry about it.
So after the notification block goes away, I don't see any changes in game play.
User avatar
FlyingPenguin
Flightless Bird
Posts: 32773
Joined: Wed Nov 22, 2000 11:13 am
Location: Central Florida
Contact:

Re: New UPnP exploit - for the love of God, disable UPnP!

Post by FlyingPenguin »

It's just blocking blacklisted IPs some TF2 servers are on. The only difference you would notice is that if Malwarebytes was disabled, you'd have a few more servers available. It doesn't mean the TF2 servers on those IPs are malicious, but they share an IP at a co-location that has other bad actors on it.
"Turns out I’m 'woke.' All along, I thought I was just compassionate, kind, and good at history. "

Image
User avatar
darcy
Posts: 6263
Joined: Tue Jun 01, 2004 9:33 pm
Location: NYC

Re: New UPnP exploit - for the love of God, disable UPnP!

Post by darcy »

I don't understand any of this,,, is this for gaming or something I need to worry about,, I haven't opened any ports (don't know how); router/modem is as it was sent to us by service provider.
Briquette, 1992 - 2008 ~ < Forever In Our Hearts >

Lily, 1995 - 2009 ~ < Forever In Our Hearts >

The best and most beautiful things in the world cannot be seen or even touched.
They must be felt with the heart. ~ Helen Keller.
User avatar
FlyingPenguin
Flightless Bird
Posts: 32773
Joined: Wed Nov 22, 2000 11:13 am
Location: Central Florida
Contact:

Re: New UPnP exploit - for the love of God, disable UPnP!

Post by FlyingPenguin »

UPnP is port forwarding for dummies. I believe it was created to deal with the early game consoles as they all needed open ports for multiplayer hosting in the early days (nowadays it's probably done with 3rd party server handoffs like most PC games).

Since the average non-techie had no clue how to setup port forwards, UPnP made it simple. If UPnP was enabled on the router (and it usually is by default) the device (be it IoT device, PC, tablet, phone, console, etc) that needed an open port would just ask the router for one automatically. No permissions required, and the spec also doesn't require routers to show any kind of list of ports opened this way, so they don't show up in the router's port forwarding tables. They're effectively invisible unless you do an outside port scan.

That was dandy when the Internet was a kinder, safer place, but UPnP has no security at all so ANYTHING in your network can request ports to be opened, including a device running malicious software or buggy software.

So for example, you could have some cheap webcam that runs a poorly secured SSH server for no good reason, and requests an port forward via UPnP, and you have no idea that your webcam has just opened a back door into your network.

Most router/modems have UPnP on by default. I know XFinity modems do, unless they've wised up. So there's a good chance yours is enabled. No you don't need it. Most people don't. It would be worth logging into your modem to see if it's enabled and disable it.
"Turns out I’m 'woke.' All along, I thought I was just compassionate, kind, and good at history. "

Image
User avatar
darcy
Posts: 6263
Joined: Tue Jun 01, 2004 9:33 pm
Location: NYC

Re: New UPnP exploit - for the love of God, disable UPnP!

Post by darcy »

Oh, gosh.
Ok, will see how far I get; thanks, FP.
Briquette, 1992 - 2008 ~ < Forever In Our Hearts >

Lily, 1995 - 2009 ~ < Forever In Our Hearts >

The best and most beautiful things in the world cannot be seen or even touched.
They must be felt with the heart. ~ Helen Keller.
User avatar
Losbot
Almighty Member
Posts: 4991
Joined: Sun Jul 13, 2014 8:59 am
Location: South Florida

Re: New UPnP exploit - for the love of God, disable UPnP!

Post by Losbot »

Not allowed on my Sonicwall firewall. Ridiculous.
------------------------------------------

Image
Post Reply