Overview
MiniUPnP is an open-source project that aims to deliver a free software solution that supports the UPnP (Universal Plug and Play) Internet Gateway Device (IGD) specifications. UPnP is a popular protocol that enables flawless communication between network-enabled devices and computers. This protocol is enabled by default on tens of millions of devices, of which a good number of them are connected to the Internet. MiniUPnP aims to support the IGD part of the UPnP protocol. Affected versions of the MiniUPnP library are vulnerable to denial of service attacks.
Details
The CVE-2013-0229 vulnerability exists because of how malicious Simple Service Discovery Protocol (SSDP) requests are handled in the MiniUPnP library. It is due to a boundary error in the SSDP’s ProcessSSDPRequest function of the file minissdp.c. This vulnerability allows a remote attacker to send specially crafted requests that could trigger a buffer over-read. This could make the vulnerable system to experience a service crash, leading to a complete denial of service attack. An attacker can exploit this vulnerability without requiring any form of authentication.
Affected Environments
MiniUPnP versions before 1.4
Remediation
Disable UPnP on all devices connected to the Internet Set up hardening rules when configuring wireless devices, such as requiring authentication credentials to log in and disabling “Guest” access.
Prevention
Upgrade to MiniUPnP version 1.4 or higher