Popular networking standard places as many as 50 million IPs at risk of one of three attacks, researchers say.
Researchers at Rapid7, a provider of vulnerability management, compliance, and penetration testing solutions for web applications, network, and database security, warns that the popular Universal Plug and Play (UPnP) protocol is flawed, exposing tens of millions of network devices to at least one of three different types of attacks. More than 23 million Internet-connected devices are vulnerable to remote code execution through a single UDP packet, along with tens of millions more via remote discovery on the web.
"The results were shocking to say the least," Rapid7 said in a statement. "Over 80 million unique IPs were identified that responded to UPnP discovery requests from the Internet. Somewhere between 40 and 50 million IPs are vulnerable to at least one of three attacks."
UPnP is a protocol standard that allows for easy communication between computers and network-enabled devices, like printers, routers, media servers, NAS boxes, and even smart TVs. Once connected, these devices can share files, printing capabilities, and so forth.
The flaw that was discovered and outlined in a white paper (PDF) is one that can be exploited remotely to launch arbitrary code. Rapid7 has provided a ScanNow tool that checks whether you network-enabled devices are vulnerable or not.