UPnP - security concerns?

Discussion in 'Tomato Firmware' started by philtrim, Jul 23, 2009.

  1. philtrim

    philtrim Addicted to LI Member

    I understand the basic purpose of the UPnP feature/functionality.

    What is the potential security risk(s) of having UPnP enabled, using the standard release of Tomato 1.2x version(s) with the default settings? I have seen differing opinions on this in the past!

    I am implementing this in small business/home office environments and was just curious as to what the networking gurus on the forum felt about leaving this UPnP featured enabled. Or how you guys configure this setting in your production environments!

    I suppose if you are not forwarding alot of ports, then it would probably be better just to disable....perhaps.

  2. rhester72

    rhester72 Network Guru Member

    UPnP is convenient and insecure. Wikipedia has a great article on it (that describes what UPnP was *intended* for versus what the industry actually *used* it for - you'd be amazed of what it's capable of!)

    The problem with UPnP is that it is very, VERY powerful (it can reconfigure your entire network!), yet has absolutely no authentication mechanism at all.

    If your internal network (including wireless) is extremely secure and you are comfortable/confident that it cannot be breached, UPnP is fine. But if someone can simply figure out how to get onto your network by any means (including direct-cabling), and you have UPnP enabled, an attacker would be capable of Very Bad Things(TM).

    NAT-PMP does not suffer nearly as much from these issues because all it is capable of doing is NAT/port forwarding.

  3. mstombs

    mstombs Network Guru Member

    Tomato's upnp has never been capable of all the possible config functions (see issues elsewhere with BT homehub). Miniupnp in the latest builds is more restrictive than most with its "secure mode", there are also port range restrictions which don't yet have gui configs.

    If an attacker had physical access to your LAN - not sure he would need/use upnp - but I wouldn't expect to see it used in corporate environment where "denial all, except those specifically permitted" has been the norm.
  4. Toastman

    Toastman Super Moderator Staff Member Member

    I agree with rhester72. It is insecure, but sometimes you need to use it if you have users that need many ports opened that you cannot realistically administer. For home users you usually know what they are and can manually port forward. Some applications can use NAT-PMP but unfortunately not so many. Weigh up the risks, which may not be as bad as first appears, as mstombs explains. If it is a choice between using UPnP or having no network functionality, then the decision is easy.
  5. Azuse

    Azuse LI Guru Member

    So does secure mode essentially make it function like nat-pmp? I.e. pcs on my lan will only ever be able to forward to themselves and not mess with the wifi, dns or forward the routers gui to the net?

    Also what exactly is the cleaning threshold?
  6. Toastman

    Toastman Super Moderator Staff Member Member

    Any listed forwarded ports that have not been used recently will be deleted after the configurable time period, IF the number of forwards exceeds the "threshold". (It can be useful to some administrators to set these high and long timeouts, so that they can see what the uPnP/NAT-PMP usage actually is).

    The defaults are fine, and conserve resources nicely.

    There is some security in that you can turn off "show in my browser" which restricts access to it, and also the secure mode. How this works I don't know - so can't say whether it is really more secure or not. Perhaps someone with programming knowledge can see what has been done.
  7. bhlonewolf

    bhlonewolf LI Guru Member

    In theory yes -- if you allow an application to open a port, it's simply another attack vector that might have otherwise not worked. But, bear in mind NAT is _not_ intended to be a security layer. I think UPNP has its place -- but it's not a "vulnerability." As long as the PCs behind the NAT are protected appropriately (antimalware), there is no concern in my professional opinion. :)
  8. Azuse

    Azuse LI Guru Member

    So if the threshold was set to 0 and the time to 600 then connections idle for 10 min would be closed?

    I forgot to ask what Show In My Network Places does, it disable by default.

    Edit: Open ports have never been an issue, if all a pc could do was forward ports to itself, i.e. no messing with other pcs, the router, dns etc, which is why I'd like to understand what this secure mode and Show In My Network actually do before I turn it on :)
  9. mstombs

    mstombs Network Guru Member

    On windows with upnp discovery/ internet gateway device enabled, the router can appear in "My Network places". If you then right click on it you can interrogate the router, see what services are forwarded by upnp etc. left click and you got to the router web gui I recall. You can also add this as an icon to the system bar - (I would recommend you don't as windows generates a lot of Ethernet traffic/ router CPU just asking for how many bytes transferred all the time.) With a full router upnp implementation you (or a rogue program on your computer/LAN) can also manually set up port forwards using the standard windows GUI, and just to be helpful windows lets you set port forwards for all your devices/ friends and enemies on your LAN.

    "secure mode" only allows a user to set port forwards to himself by upnp. Turning off the "show in my network places" just stops the icon being displayed, and has been ported from Tomato's old upnp to miniupnp. It may discourage users from investigating, but it doesn't add security, you can still use an app to set port forwards.

    Miniupnp can also be configured to control the range of ports each user can access, i.e. no need for anything below 1024? Tomato doesn't currently exploit this configuration through the web gui.

    NAT-PMP is more basic than upnp and so has better inherent security, but I see little or no difference in the implementation of miniupnp on Tomato (ability to change DNS servers and set outgoing diverts not possible)

    The only clear vulnerability with running Tomato's upnp is a DOS attack, every bit of data sent from the router is packaged in an XML 'webpage' and you can generate a lot of traffic/ CPU.
  10. Azuse

    Azuse LI Guru Member

    That's exactly what I needed to know, thank you.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice