A 100,000-Router Botnet Is Feeding On a 5-Year-Old UPnP Bug In Broadcom Chips (arstechnica.com) 39
An anonymous reader quotes a report from Ars Technica: A recently discovered botnet has taken control of an eye-popping 100,000 home and small-office routers made from a range of manufacturers, mainly by exploiting a critical vulnerability that has remained unaddressed on infected devices more than five years after it came to light. Researchers from Netlab 360, who reported the mass infection late last week, have dubbed the botnet BCMUPnP_Hunter. The name is a reference to a buggy implementation of the Universal Plug and Play protocol built into Broadcom chipsets used in vulnerable devices. An advisory released in January 2013 warned that the critical flaw affected routers from a raft of manufacturers, including Broadcom, Asus, Cisco, TP-Link, Zyxel, D-Link, Netgear, and US Robotics. The finding from Netlab 360 suggests that many vulnerable devices were allowed to run without ever being patched or locked down through other means. Last week's report documents 116 different types of devices that make up the botnet from a diverse group of manufacturers. Once under the attackers' control, the routers connect to a variety of well-known email services. This is a strong indication that the infected devices are being used to send spam or other types of malicious mail.
Re: (Score:2)
The only way to use UPnP - turn it off! It's a security hole the size of Grand Canyon.
Re: (Score:3)
It is completely different from plug and play discover of devices within your machine. It is basically a protocol that lets malware, worms, etc forward ports for themselves in your r
Re: (Score:3)
The list is copied to the comments on the first Ars link in the article. https://arstechnica.com/inform... [arstechnica.com]
The source is said to be a pdf on the Netlab 360 site which is currently very slow to respond.
A copy of the list will not post here because it is too few characters per line to get past the spam checker.
Re: (Score:2)
Re:Is mine one of them? (Score:5, Insightful)
A) Do you have UPnP enabled.
B) If yes, turn it off.
UPnP is an *UTTERLY UNNECESSARY* service (speaking as an IT Manager, gamer, and someone who hosts gaming servers etc.), that when exposed to the Internet allows ANY local device to forward ANY network port to ANY IP/port combination with NO authentication whatsoever.
Even privileged ports and local ports.
I can literally redirect your port 139 (e.g. CIFS/SMB) to a host on the Internet if I wanted, or open command/control ports and punch holes through your firewall wherever I want.
All this is is a UPnP flaw that allows you to do the same remotely, but literally any device on your local network can already do it without any logs, authentication, or notification that they are doing so (e.g. your ChromeCast / laptop / Amazon Echo / Nest doorbell could be opening up your telnet port and sending it to themselves once every hour, and you'd pretty much never know anything about it).
Turn it off. Watch how nothing changes and all your systems still work as intended.
And, if you absolutely, 100% must host servers on your own connection (not just "play games" but literally host servers with no matchmaking servers present) then you add a single port-forward yourself and job-done.
P.S. No, this does not affect local device discovery, etc. so your Chromecast etc. will still work perfectly fine on your home network anyway.
Case in point: I've never had UPnP turned on on anything, I have 1000 Steam games that play just fine, plus ChromeCasts and all kinds of kit. Not a single problem.
Re: (Score:2)
Quite a few wireless inkjet printers need it and WPS to connect to a network. Cannons for instance.
re: inkjet printers (Score:2)
Quite frankly, the inexpensive consumer-grade inkjet printers do a generally awful job of networking, across the board.
One of the big issues I've encountered is that almost all of the wi-fi enabled printers still only support the 2.4Ghz band, which tends to become very crowded with SSIDs if you're in a multi-story office or apartment complex. So not only can you struggle to get a wireless frequency that's usable and reliable, but often, the number of SSIDs exceeds the memory allocated to display them in a s
Re: (Score:2, Troll)
No.
They don't.
And if they do, stop buying them.
But they don't.
Literally, it's "auto-port-forwarding". Any printer that NEEDS that, you don't want. Not even Google Cloud Print requires that.
WPS is entirely unrelated.
UPnP "Discovery" over the local network is entirely unrelated (and not affected by turning off UPnP on the router) - that's the only mention of UPnP that I can find on any of Canon's sites... they are talking about allowing UPnP through the software firewall on a client machine so it can talk o
Re:Is mine one of them? (Score:4)
Also, UPnP is just another extreme fuckup by Microsoft.
Re: (Score:2)
"Case in point: I've never had UPnP turned on on anything, I have 1000 Steam games that play just fine, plus ChromeCasts and all kinds of kit. Not a single problem."
This is probably true today. Games are now designed to work without it. However, back when upnp was introduced it was the only reasonable way for non-network admins to get a hole through their firewall. And yes, it was necessary just to play online, not only for hosting.
As an it manager, you probably ought to know this already. Some legacy softw
Broadcome responds to the news. (Score:5, Funny)
"The botnet is run by criminals and instead of blaming the criminals, and the ineptitude of the law enforcement, the narrative has been to attack the job creators and the legitimate businesses. Broadcom has created thousands of jobs and has created millions of dollars for its shareholders. It would be really unfortunate if such stellar corporate performance is undone due to onerous job killing regulations by the Washington bureaucrats. We call for the government to catch the criminals and bring them to justice.
We also take this time to announce our new great business venture. We are getting into home building. We hope to make homes more affordable by removing useless things like locks and latches. They interfere with the aesthetics of the homes without significantly adding to the comfort and the utility of the home. Being the job creators, we implore the municipalities to do their job of law enforcement, so that we dont need these locks and latches and other security devices. As a publicly traded company, it is our mission to use other people's money to make huge load of profits, take as much as possible as executive compensation, throw some bones to the wall street and externalize as much of our costs as possible, because we are job creators."
Re: (Score:2)
You plug and pray protocol (Score:4, Informative)
uPnP is almost useless in that it automatically allows your OS that supports it to crack a hole into the real world right through your NAT firewall. I've always disabled it because it sounds like a security risk and ontop of that in many cases it was pretty buggy.
Not a bug in "Broadcom Chips" (Score:1)
Read the security report carefully. This is *not* a bug in "Broadcom chips". It is a bug that exists in an open-source package (miniupnp) that was used by certain vendors for their wireless routers. Please fight the FUD.
Re: (Score:1)
Sorry correction the bug is /not present/ in miniupnp but in a different implementation of that protocol. But it's a lot different to say "it's a but in a chipset" instead of "a software bug".