The Rapid7 folks ran scans for 5+ months searching for and finding systems vulnerable to 3 different types of vulnerabilities that relate to UPnP. The sheer volume, accessibility, diversity of vendor, and age of some of these systems is most interesting from an operational business standpoint. First a few statistics from the report:
- 23 million IPs are vulnerable to remote code execution through a single UDP packet
- At least 6,900 product versions vulnerable through UPnP.
- List encompasses over 1,500 vendors
- 1 UDP packet can exploit any one of 8 vulnerabilities to libupnp
- Some vulnerabilities were 2+ years old, yet 300+ products still are using insecure version
A great write-up is available here by Darlene at ComputerWorld (chock full of links to additional facts & CERT) and of course all comments and feedback should be directed to HD Moore’s blog. The report was worth the read, and while the technical details are important, I would challenge the executives reading this paper to consider operationally how they would seek to manage the vulnerable systems in their organizations and how their internal processes are designed to ensure such similar technical (symptoms) vulnerabilities across different types of products do no recur. Or at least, devising a methodology to mitigate the risk to technology such as this that cannot be patched (vendor is gone; management tools non-existent, etc…) or addressed directly on the same system.
As our business processes further rely on network connected devices, the age and velocity of the industry is a risk that we must manage. Acquisitions, businesses going under, kickstarters coming & going, and simply protocols losing support in the dev environments ALL are mitigated by governance and risk assessment methodologies.
- How is your strategic program designed; is it effective to these shifts in business; how can it be enhanced?
- How is the partnership with procurement, M&A, and business relations teams? >> Consider the inputs as well as enhancing your program.
Thanks to Rapid7 for the research and raising this broader risk.
*See me at RSA 2013 speaking on – Passwords are Dead