The US Department of Homeland Security’s Computer Emergency Readiness Team (US-CERT) along with IT security firm Rapid7, have advised users to disable the UPnP feature that allows operating devices and printers through the internet.
According to researchers from the security firm, several buffer overflow vulnerabilities have been exposed in libupnp, which is the open source portable SDK for UPnP that may allow hackers to gain access to millions of vulnerable devices.
Rapid7 also reported that there were about 40 million to 50 million devices vulnerable over three separate issues with the UPnP standard.
The two most frequently used UPnP software libraries both comprised remotely exploitable vulnerabilities. In Portable UPnP SDK, about 23 million IPs have been found to be exposed to remote code execution via a single UDP packet.
Rapid7security researcher HD Moore said that the firm was able to identify over 6,900 product versions that were vulnerable through UPnP.
"This list encompasses over 1,500 vendors and only took into account devices that exposed the UPnP SOAP service to the internet, a serious vulnerability in of itself," Moore said.
The flaws could also enable attackers to access secret files, steal passwords, acquire full control over PCs and remotely access devices including webcams, printers and security systems.
The list of devices vulnerable to attackers include products manufactured by Belkin, D-Link, Cisco Systems’ Linksys division and Netgear.
Linksys said in a statement: "We recommend Linksys customers visit our website to understand if their home router is affected, and learn how to disable UPnP through the user interface to avoid being impacted."
