Archive | January, 2013

H.D. Moore Unveils Major UPnP Security Vulnerabilities

This week, H.D Moore, the creator of Metasploit, and now CSO of Rapid7, released a detailed report unveiling his team’s months-long research into the security of the Universal Plug and Play (UPnP) protocol.

If you haven’t heard of it, Universal Plug and Play (UPnP) is a set of networking protocols intended to allow network devices to automatically find one another and then communicate and share data. The protocol was designed primarily for consumers, with the intention of making it easier for non-techie people to connect network products at home. Many network devices including home routers, media servers, game consoles, and printers leverage UPnP, and most operating systems enable it by default. In Moore’s own words, it is pervasive.

Moore’s report highlights just how exposed UPnP devices are on the Internet. For over five months, the Rapid7 researchers scanned the IPv4 address space, looking for devices that responded to UPnP queries (UDP port 1900). To their surprise, they found over 81 million devices (2.2% of the IPv4 addresses) that responded to their queries. They also learned that the majority of these devices use four common UPnP development kits, and that many of these development kits suffer from a variety of critical software vulnerabilities.

One of the worst software vulnerabilities they found lies in the Portable UPnP SDK development kit. This UPnP framework suffers from a serious remote code execution vulnerability that an attacker can exploit with a single, spoofed UDP packet. Moore’s team found 23 million devices exposed to this particular flaw alone.

So what should you do to protect yourself from these potential UPnP issues?

Well, if you work for a business or large organization, there’s some good news. These issues probably don’t affect your organization on the same level as they affect consumers. Business or enterprise class routers and network gear don’t enable UPnP services as often as consumer equipment does. It’s unlikely that your company’s router enables UPnP on its external interface. Furthermore, if you have an enterprise class firewall or security appliance, like any of WatchGuard’s XTM appliances, it will block the UPnP port (UDP 1900) by default. Unless you’ve specifically created a policy to allow UPnP traffic, you’re protected from these sorts of UPnP scans and attacks. Of course, even businesses may have UPnP-enabled devices on their internal networks. Even if you are protected from external attacks, you may still want to consider updating or disabling your internal UPnP devices, if you don’t actually use the UPnP features.

Consumers, on the other hand, will need to do more to protect themselves. Unlike enterprise equipment, consumer devices often enable UPnP. In fact, consumer routers, including ones your ISP may have provided, sometimes enable UPnP on the WAN interface. The first thing you need to do at home is find out whether your Internet router has UPnP enabled on its external interface, and then disable it. You may also need to upgrade the router’s firmware to get the latest UPnP components to fix the vulnerabilities Moore’s report describes.

Consumers should also scan their network to try and find all the devices that use UPnP. Rapid7 has provided a free tool called ScanNow UPnP to help with this task. Once you find all your UPnP devices, you should decide whether or not you are really using the UPnP services. If not, disable it. If you are using UPnP, then you may need to update the associated device’s software or firmware. However, this issue unfortunately affects thousands of devices, and some are outdated devices that may never receive future updates. It may take a while for all the affected vendors to provide the updated software.

UPnP is a perfect example of how convenience and security don’t always mix. The protocol was created to make it easier for devices to connect, but unfortunately easy often translates to insecure. In this case, UPnP made it too easy for users to accidentally expose a critical network service to the public.

For more technical details on these UPnP issues and how to fix them, I highly recommend you read Rapid7’s report [PDF]. In the meantime, if you don’t specifically use UPnP, turn it off. — Corey Nachreiner, CISSP (@SecAdept)

WatchGuard Support Note: Phone Maintenance Next Monday

For the readers who are also WatchGuard customers, our Support Team wanted to share this quick support note with you:

Customer alert! WatchGuard will be performing maintenance on its phone system on Monday, 4 February, 2013 at 06:00 PST (GMT -8) for approximately one hour. Customers may experience difficulty reaching our Support phone lines during that time. The WatchGuard Support website will still be fully functional, and web-based cases can be submitted at any time.

— Corey Nachreiner, CISSP (@SecAdept)

WatchGuard Security Week in Review: Episode 49 – Expelled Hacker

Red October, Cisco WLAN Updates, and Expelled Hacker

Welcome to another “on the road” edition of WatchGuard Security Week in Review, the video podcast dedicated to summarizing the biggest InfoSec stories each week. This week’s episodes covers a Cisco wireless controller security update, Kaspersky’s investigation into the Red October cyber-espionage campaign, and the controversy surrounding an expelled “white hat” hacker. For more details on those stories and others, watch the short video below. You can also check out the ?Reference section for more details on any of these topics.

(Episode Runtime: 6:48)

Direct YouTube Link:

Episode References:

— Corey Nachreiner, CISSP (@SecAdept)

WatchGuard Security Week in Review: Episode 48 – 0day Updates

0Day Updates, Oracle Patches, and Mobile Botnets

Better late than never, right?

This week’s security video summary comes a tad late due to my travel schedule this week. It covers updates on the two latest zero day exploits, Oracle’s critical patch update, and stories about a mobile phone botnet and US power plant breach. Click play below to watch the short episode, or check out the References for more details.

Next week’s episode may also post at a weird time due to continued travel.

(Episode Runtime: 5:11)

Direct YouTube Link:

Episode References:

— Corey Nachreiner, CISSP (@SecAdept)

Oracle’s January 2013 CPU Update

This week, Oracle released their quarterly Critical Patch Update (CPU) for January 2013. CPUs are collections of security updates, which fix vulnerabilities in a wide-range of Oracle products. This quarter’s updates fix 86 vulnerabilities in many different Oracle products and suites.

Refer to the table below for more details about the affected products and severity of the flaws:

Product or Suite Flaws Fixed (CVE) Max CVSS
Database Server (and Mobile) 6 10.0
Fusion Middleware 7 5.0
Enterprise Manager Grid Control 13 7.5
Virtual Box 1 2.4
E-Business Suite 9 6.4
Supply Chain Product Suite 1 2.1
MySQL 18 9.0
PeopleSoft Products 12 5.5
JD Edwards Products 1 3.5
Siebel CRM 10 5.0
Sun Product 8 6.6

Oracle’s advisory doesn’t describe every flaw in technical detail. However, they do describe the general impact of each issue, and share  CVSS severity ratings. While the severity of the 86 vulnerabilities differs greatly, some of them pose a pretty critical risk.

For instance, the updates for Oracle Database Server fix vulnerabilities with a CVSS score of 10—the highest possible severity rating. One of these flaws allows unauthenticated, remote attackers to potentially gain complete control of your Oracle database server. If you manage any of the affected Oracle products, you’ll want to install the corresponding updates as soon as you can. You’ll find more details about these updates in the Patch Availably section of Oracle’s alert. — Corey Nachreiner, CISSP (@SecAdept)

Oracle Patches Java Zero Day with Out-of-Cycle Update

Severity: High


  • These vulnerabilities affect: Oracle Java Runtime Environment (JRE) and Java Development Kit (JDK) 7 Update 10 and earlier, on all platforms
  • How an attacker exploits them: Multiple vectors of attack, including luring your users to a malicious web page containing specially crafted Java
  • Impact: In the worst case, an attacker can gain complete control of your computer
  • What to do: Install JRE and JDK 7 Update 11


Java is a programming language (first implemented by Sun Microsystems) used most often to enhance web pages. Most operating systems today implement a Java interpreter to recognize and process Java code from websites and other sources. Oracle’s Sun Java Runtime Environment (JRE) is one of the most popular Java interpreters currently used.

During last week’s WatchGuard Security Week in Review video, I warned you about a critical zero day vulnerably in the latest version of Java (JRE and JDK 7 Update 10 and earlier), which attackers are actively exploiting in the wild. If an attacker can lure you to a web site containing a malicious Java applet, he could exploit this flaw to gain complete control of you computer.

This week, Oracle released an out-of-cycle security update that fixes the zero day vulnerability, and a second one to boot. They rate each of these Java vulnerabilities with a base CVSS score of 10.0; the most severe rating. Since attackers are exploiting these flaws very actively, and have already built them into popular web exploit frameworks, we highly recommend you apply Oracle’s emergency update immediately. In fact, if you don’t need Java, I suggest you remove it from your computer.

Solution Path:

Oracle has released JRE and JDK Update 11 to correct these issues. If you use Java, download and deploy the appropriate update immediately, or let Java’s automatic update do it for you. You’ll find more information on where to get the  updates in the Patch Table section of Oracle’s alert.

Furthermore, attackers have heavily targeted Java lately in their exploit frameworks. If you do not need Java in your organization, I suggest you remove it.

For All WatchGuard Users:

WatchGuard XTM appliances can help protect you from this Java vulnerability in a number of ways:

  • If you like, you can leverage our proxy policies to block Java applets. Keep in mind, this will block legitimate Java applets as well
  • WatchGuard’s AV partner, AVG, has developed signatures to catch these zero day exploits. If you use our Gateway AntiViris (GAV) service, it will protect you from some of these attacks.
  • WatchGuard’s signature writers have developed a generic Java signature, which should block some variants of this attack.
  • WebBlocker and WatchGuard’s Reputation Enabled Defense (RED) service both can prevent you from visiting the malicious drive-by download sites that leverage this sort of vulnerability.

Despite the XTM appliance’s many protections, we still recommend you download and install the Java update to completely protect yourself from these flaws. Better yet, don’t install Java if you don’t need it.


Oracle has issued updates to correct these issues.


This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept)

What did you think of this alert? Let us know at

Need help with the jargon? Try the LiveSecurity Online Glossary.

Out-of-Cycle IE Patch Mends Zero Day Vulnerability


  • This vulnerability affects: Internet Explorer 6 through 8 (9 and 10 are not affected)
  • How an attacker exploits it: Usually, by enticing one of your users to visit a malicious web page
  • Impact: Various, in the worst case an attacker can execute code on your user’s computer, potentially gaining complete control of it
  • What to do: Deploy the appropriate Internet Explorer patch immediately, or let Windows Automatic Update do it for you


In a previous post, we warned you of a zero day “use after free” vulnerability that affected Internet Explorer (IE) 6 through 8. By luring one of your users to a web site containing malicious code, a remote attacker could exploit the vulnerability to execute code on your computer, with your privileges  As always, if you have local administrator privileges, the attacker could exploit this issue to gain complete control of your computer. At the time, Microsoft hadn’t fixed this newly discovered flaw, but had released a FixIt that could mitigate its risk.

This week, Microsoft released an out-of-cycle security bulletin containing a full patch for this issue. Attackers are still exploiting this flaw in the wild, so it poses a significant risk. If you use IE 6, 7, or 8, you should  patch IE immediately.

Solution Path:

You should download, test, and deploy the appropriate IE updates immediately, or let Windows Automatic Update do it for you. You can find links to the various IE updates in the “Affected and Non-Affected Software” section of Microsoft’s IE security bulletin.

For All WatchGuard Users:

WatchGuard’s Gateway Antivirus and Intrusion Prevention services can often prevent these sorts of attacks, or the malware they try to distribute. Nonetheless, we still recommend you install Microsoft’s IE update to completely protect yourself from this flaw.


Microsoft has released patches to fix these vulnerabilities.


This alert was researched and written by Corey Nachreiner, CISSP.

WatchGuard Security Week in Review: Episode 47 – Piles of Patches

Critical Java 0Day, Piles of Patches, and More

Ready for a weekly dose of InfoSec? This episode has a strong “patch” theme, with many vendors releasing some big security updates this week. Besides the patches, I also cover a few new 0day exploits, including a serious Java one getting leveraged quite a bit in the wild, and a couple crazy sounding security-related news items. If you want all the details, click play below, or check out the Reference section.

Note: I will be traveling the next few weeks. I still plan on trying to post the weekly video, but it may be shorter, less produced, and arrive at odd hours due to travel.

(Episode Runtime: 9:17)

Direct YouTube Link:

Episode References:

— Corey Nachreiner, CISSP (@SecAdept)

WatchGuard Announces Fireware XTM and WSM v11.7

Available for XTM 25/25-W/26/26-W, 3 Series, 5 Series, 8 Series, 1050 and 2050 devices

WatchGuard is excited to announce the general release of Fireware XTM and WatchGuard System Manager v11.7. Our newest XTM OS release super-charges XTM appliances with a host of enhancements and powerful new features including performance boosts, new management tools, increased BYOD security options, and much, much more.

You can install Fireware XTM OS v11.7 on XTM 25/25-W/26/26-W, 3 Series, 5 Series, 8 Series, 1050 and 2050 devices. It does not support the wired or wireless versions of XTM 21/22/23. The new features, enhancements, and bug fixes included in this release have been carefully chosen to improve the capabilities, performance, and reliability of our XTM devices.

Here are just some of the enhancements Fireware XTM 11.7 has to offer:

  • Improved UTM throughput performance numbers across the XTM product line.
  • Policy Grouping simplifies the setup and admin of larger network environments.
  • Link Aggregation combines interfaces and links for greater throughput and high availability.
  • WebBlocker can now point to the cloud, instead of requiring a server set up onsite. And the new URL database from Websense, with over 100 categories, is more accurate – especially in non-English languages.
  • The scope of central policy management has expanded to devices behind third-party network appliances.
  • L2TP VPN protocol, included natively in many different operating systems, enables more widespread VPN access.
  • WatchGuard VPN applications on iOS and Android make it easier to set up and configure VPN connectivity. Administrators can simply share configuration files by email.
  • IPv6 firewall policies expand support beyond network and routing capabilities.
  • IPS and Application Control on https policies deliver security even when traffic is encrypted. This enables granular controls on social media applications.
  • More interoperability with different VoIP phone setup, with DHCP options for TFTP server and boot file name.
  • Rock solid reliability means no business interruptions even if failures occur. Expanded high availability features include:
    • Hardware health monitoring – Alarms are generated and proactive HA failover can be initiated when hardware failures, such as fans stopping, are detected
    • HA on wireless models – XTM 25-W/26-W/33-W
  • Full support for Windows 8 and Windows Server 2012

In addition to the features and enhancements listed above, 11.7 also includes numerous smaller enhancements, bug fixes, and improvements to the product based on customer feedback. If you manage an XTM appliance, we recommend you download and install 11.7 to enjoy its new features and zipper performance.

For more information about the feature enhancements included in Fireware XTM v11.7, see the Release Notes or What’s New in Fireware XTM v11.7 [PPT file].

Does This Release Pertain to Me?

Fireware XTM 11.7 is a feature release that also includes many other improvements. If you have a XTM 25/25-W/26/26-W, 3 Series, 5 Series, 8 Series, 1050 and 2050 device and wish to take advantage of the enhancements listed above, or those mentioned in the Release Notes, you should consider upgrading to version 11.7. Please read the Release Notes before you upgrade, to understand what’s involved. As always, the Release Notes contain a comprehensive list of fixed bugs and current known issues.

How Do I Get the Release?

XTM appliances owners who have a current LiveSecurity Service subscription can obtain this update without additional charge by downloading the applicable packages from the Articles & Support section of WatchGuard’s Support Center. To make it easier to find the relevant software, be sure to uncheck the “Article” and “Known Issue” search options, and press the Go button. You can install Fireware XTM 11.7 on XTM 25/25-W/26/26-W, 3 Series, 5 Series, 8 Series, 1050 and 2050 devices. It does not support the wired or wireless versions of XTM 21/22/23. If you need support, please enter a support incident online or call our support staff directly. (When you contact Technical Support, please have your registered Product Serial Number, LiveSecurity Key, or Partner ID available.)

  • U.S. End Users: 877.232.3531
  • International End Users: +1.206.613.0456
  • Authorized WatchGuard Resellers: +1.206.521.8375

Don’t have an active LiveSecurity subscription for your XTM appliance? It’s easy to renew. Contact your WatchGuard reseller today. Find a reseller »

Adobe Patch Day: Reader X and Shockwave Player Fixes

Severity: High


  • These vulnerabilities affect: Flash Player, Reader X, and Acrobat X. Also news of a ColdFusion zero day exploit
  • How an attacker exploits them: Multiple vectors of attack, including enticing your users to open malicious files or visit specially crafted web sites
  • Impact: Various results; in the worst case, an attacker can gain complete control of your computer
  • What to do: Install the appropriate Adobe patches immediately, or let Adobe’s updater do it for you.


Today, Adobe released two security bulletins describing vulnerabilities in Flash Player, and Reader and Acrobat X.

Adobe Patch Day: January 2013

A remote attacker could exploit the worst of these flaws to gain complete control of your computer. We summarize the bulletins below:

  • APSB13-02: Multiple Reader and Acrobat  Vulnerabilities

Adobe Reader helps you view PDF documents, while Acrobat helps you create them. Since PDF documents are very popular, most users install Reader to handle them.

Adobe’s bulletin describes 27 vulnerabilities that affect Adobe Reader and Acrobat X 11.0.0 and earlier, running on any platform (Windows, Mac, Linux).  Adobe’s alert only describes the flaws in minimal detail, but most of them involve memory corruption-related vulnerabilities, such as buffer overflows,  integer overflows, use-after-free issues, and so on. For the most part, they share the same scope and impact. If an attacker can entice you into opening a specially crafted PDF file, he can exploit many of these issues to execute code on your computer, with your privileges. If you have root or system administrator privileges, the attacker gains complete control of your machine.

Adobe Priority Rating: 1 for Windows (Patch within 72 hours)

  • APSB13-03: Flash Player Buffer Overflow Vulnerability

Adobe Flash Player displays interactive, animated web content called Flash. Although Flash is optional, 99% of PC users download and install it to view multimedia web content. It runs on many operating systems, including mobile operating systems like Android.

Flash player suffers from a buffer overflow flaw. If an attacker can lure you to a web site, or get you to open specially crafted Flash content, he could exploit this flaw to execute code on your computer, with your privileges. If you have administrative or root privileges, the attacker could gain full control of your computer.

Adobe Priority Rating: 1 for Windows (Patch within 72 hours)

Aside from the Reader and Flash updates, Adobe also posted a warning about three zero day ColdFusion vulnerabilities that attackers are exploiting in the wild. They have not had time to fix these vulnerabilities yet, but they do offer some mitigation techniques in their advisory. If you use ColdFusion, especially as your public web server, we recommend you try to implement the mitigation techniques described in the “Mitigations” section of Adobe’s alert. We will let you know as soon as they release the real patch.

Solution Path:

Adobe has released updates for all their affected software. If you use any of the software below, we recommend you download and deploy the corresponding updates as soon as possible, or let Adobe’s automatic updater do it for you.

For All WatchGuard Users:

Attackers can exploit these flaws using diverse exploitation methods. Though our IPS and AV services may help prevent some of these attacks, or the malware they try to load, installing Adobe’s updates is your most secure course of action.


Adobe has released patches correcting these issues.


This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

%d bloggers like this: