libupnp vulnerability

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> General Questions
Author Message
alexschomb
DD-WRT Novice


Joined: 21 Jun 2012
Posts: 13

PostPosted: Wed Jan 30, 2013 14:33    Post subject: libupnp vulnerability Reply with quote
Are there any information regarding the libupnp vulnerability and DD-WRT? Which revisions are safe to use with uPNP which not?

http://www.kb.cert.org/vuls/id/922681
Sponsor
chrisf8657
DD-WRT User


Joined: 17 Jul 2009
Posts: 80

PostPosted: Wed Jan 30, 2013 17:25    Post subject: Reply with quote
I'm also curious as to whether this is being fixed. I'd like to hear from BrainSlayer.
LOM
DD-WRT Guru


Joined: 28 Dec 2008
Posts: 7632

PostPosted: Thu Jan 31, 2013 1:19    Post subject: Reply with quote
chrisf8657 wrote:
I'm also curious as to whether this is being fixed. I'd like to hear from BrainSlayer.


Have you checked if there is a need for something to be fixed?
There is a link to an online scanner in the url in the post by alexschomb.
Brainslayer has more important things to do than ease the worries of users who hasn't proved that there is something to worry about..

_________________
Kernel panic: Aiee, killing interrupt handler!
barryware
DD-WRT Guru


Joined: 26 Jan 2008
Posts: 13049
Location: Behind The Reset Button

PostPosted: Thu Jan 31, 2013 1:53    Post subject: Reply with quote
there is a couple of posts in the broadcom forum where members have tested..

seems dd-wrt does NOT have the vulnerability.

I don't use upnp anyway.. never have, never will..

_________________
[Moderator Deleted] Shocked
chrisf8657
DD-WRT User


Joined: 17 Jul 2009
Posts: 80

PostPosted: Sat Feb 02, 2013 18:48    Post subject: Reply with quote
LOM wrote:
chrisf8657 wrote:
I'm also curious as to whether this is being fixed. I'd like to hear from BrainSlayer.


Have you checked if there is a need for something to be fixed?
There is a link to an online scanner in the url in the post by alexschomb.
Brainslayer has more important things to do than ease the worries of users who hasn't proved that there is something to worry about..


Considering I don't write the code I can't tell you. But what I will is that when the Department of Homeland Security says to disable it on almost all routers, it's important, and there seems to be no information that comes from any DD-WRT staff in an easily accessible area.

barry -

Thanks ill check it out.
BrainSlayer
Site Admin


Joined: 06 Jun 2006
Posts: 7038
Location: Dresden, Germany

PostPosted: Wed Feb 06, 2013 22:26    Post subject: Reply with quote
dd-wrt does not use libpnp and since we personally think that upnp is insecure by design its also disabled by default. its also not reachable from wan side. so if there is any flaw, it can only be used from the lan side itself. but so far we dont know any known issue with out variant of upnp
_________________
"So you tried to use the computer and it started smoking? Sounds like a Mac to me.." - Louis Rossmann https://www.youtube.com/watch?v=eL_5YDRWqGE&t=60s
Mangix
DD-WRT User


Joined: 04 Aug 2011
Posts: 375

PostPosted: Thu Feb 07, 2013 22:03    Post subject: Reply with quote
I looked at the dd-wrt source from svn and the upnp implementation looks like it's done by broadcom. Which is an issue as claimed here: http://blog.defensecode.com/2013/02/defensecode-security-advisory-cisco.html

DD-WRT is mentioned twice.
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> General Questions All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum