Cross post from Bugtraq, DefenseCode Security Advisory http://www.defensecode.com/
Broadcom UPnP Remote Preauth Root Code Execution Vulnerability Advisory ID: DC-2013-01-003 Advisory Title: Broadcom UPnP Remote Preauth Root Code Execution Vulnerability Advisory URL: http://www.defensecode.com/subcategory/advisories-28 Software: Broadcom UPnP software Vulnerable: Multiple router manufacturers Vendor Status: Vendors contacted Initial Release Date: 2013-01-15 Release Date Postponed To: 2013-01-31 Risk: Critical 1. General Overview =================== During the security evaluation of Cisco Linksys routers for a client, we have discovered a critical security vulnerability that allows remote unauthenticated attacker to remotely execute arbitrary code under root privileges. Upon initial vulnerability announcement a few weeks ago Cisco spokesman stated that only one router model is vulnerable - WRT54GL. We have continued with our research and found that, in fact, same vulnerable firmware component is also used in at least two other Cisco Linksys models - WRT54G3G and probably WRT310N. Could be others. Moreover, vulnerability turns out even more dangerous, since we have discovered that same vulnerable firmware component is also used across many other big-brand router manufacturers and many smaller vendors. Vulnerability itself is located in Broadcom UPnP stack, which is used by many router manufacturers that produce or produced routers based on Broadcom chipset. We have contacted them with vulnerability details and we expect patches soon. However, we would like to point out that we have sent more than 200 e-mails to various router manufacturers and various people, without much success. Some of the manufacturers contacted regarding this vulnerability are Broadcom, Asus, Cisco, TP-Link, Zyxel, D-Link, Netgear, US Robotics, and so on. Routers with vulnerable Broadcom UPnP stack are mostly based on Broadcom UPnP chipset. You can check how many manufacturers use Broadcom chipset here: http://wiki.openwrt.org/toh/start (search for Broadcom, brcm or bcm). We don't know exactly how many of them are affected, since we were unable to contact all of them, but we suspect there are probably tens of millions vulnerable routers out there. Edward E. Ziots, CISSP, Security +, Network + Security Engineer Lifespan Organization ezi...@lifespan.org This electronic message and any attachments may be privileged and confidential and protected from disclosure. If you are reading this message, but are not the intended recipient, nor an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that you are strictly prohibited from copying, printing, forwarding or otherwise disseminating this communication. If you have received this communication in error, please immediately notify the sender by replying to the message. Then, delete the message from your computer. Thank you. [Description: Description: Lifespan] From: David Lum [mailto:david....@nwea.org] Sent: Thursday, January 31, 2013 12:37 PM To: NT System Admin Issues Subject: RE: Ouch - UPnP See the thread called "Shocking? Somehow, not..." Having a more descriptive subject line like yours is far too logical :) From: N Parr [mailto:npar...@mortonind.com] Sent: Thursday, January 31, 2013 9:30 AM To: NT System Admin Issues Subject: Ouch - UPnP http://news.cnet.com/8301-1009_3-57566366-83/upnp-networking-flaw-puts-millions-of-pcs-at-risk/?tag=nl.e757&s_cid=e757 Guess it would mostly affect home users but they are going to be the ones who would never hear about it for be able to fix it. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
<<inline: image001.jpg>>
