Rapid7 reports a research finding that many many routers are prone to remote (i.e. from the internet) attacks.

There are roughly two classes of routers:
- Those that use libupnp from Intel. These issue's are fixed in recent days. Version 1.6.18 is patched for all known vulnerability's. This first patched version was released yesterday (29-01-13)(!).
- Those that use MiniUPnP. But the latest flaws have been fixed in version 1.4 which was released at 30-10-2009. Furthermore, there are also SOAP vulnerability's in miniupnpd 1.0 and below, here. Miniupnpd 1.1 was released at 25-04-2008.

Both pieces of software run as root and are (somewhat) remote exploitable. This worries me.

The thing is, my device is listed at the second list (miniupnp, not SOAP). However, I checked the device and it says for miniupnpd:

/usr/sbin/miniupnpd -i nas0 -a 10.xxx.xxx.xxx -p 5000 -U

I am not able to determine the version. However, wouldn't it just suffice to say:
- block inbound udp port 5000
- enable UPNP
- all is well

And I'm inclined to say this would suffice. Slashdot posters have made critical statements as to how reliable the results and lists are derived.

For example, you have to spoof an IP as well. But I'm running non-default ip subnet (10.0.0.0/8) in my home network.

Thoughts?

I just recently picked up the same story on Slashdot. Some scary stuff.

As far as I understand that attack, the router has to be responding with UPnP on a network where the attacker is located - this will most likely be the internet itself. If your router isn't configured to respond to UPnP on an external interface you should be fine. Although I've heard of some attacks where an attacker can trick a user on an internal NAT-ted network to forward some packets to a router, but that's another story. If you're worried you can disable upnp completely, if you don't need it and wait for a firmware update.

Yeah, most of the CVE's mentioned are just for tracking old vulnerability bugs (especially in miniupnp). The fact that it's on Slashdot now makes it scary, but even more scarrier for the fact that some vulnerability's exist for four (4!) years!

Those were my thoughts exactly. Therefore, I find it hard to believe that my router is listed. I cannot believe that Netgear would install daemons for UPNP and attach it to every interface. Therefore, I have the suspicion this is a severely overstated issue.

Yes, but that would, technically, not be a vulnerability in the UPNP implementation. All the boxes attached to this router are managed by me and I can (and do) update them. It's the Netgear router that is making me worried.

Furthermore, my router is EOL'ed. I do not know what that exactly implies with respect to security bugfixes. But I have the nagging feeling that this is about 'it'... .

Can you replace the router firmware with OpenWRT?

I confirmed that the board (BCM6358) is supported (it's not SMP).

Through the old docs I came here: http://wiki.openwrt.org/doc/hardware...oadcom.bcm63xx

It says that there is no ADSL support at all. Only proprietary. It mentions that Netgear released some closed code, but that probably won't work on 2.6.39. The kernel the router is running is 2.6.8.1 if I'm not mistaken.

Further digging lead me to this place: https://forum.openwrt.org/viewtopic.php?id=20408 : Ergo, no DSL drivers. Bummer!

Too bad...