Login   |   Secure Purdue > News

Advisory: SSDP Vulnerability

=====================================
STEAM-ADVISORY NO. 2014080801
PURDUE UNIVERSITY SECURITY STEAM CIRT
Friday, August 8, 2014 11:00:00 EDT


==OVERVIEW==

We have received several external notices of publicly accessible devices that have the Simple Service Discovery Protocol (SSDP) running and answering queries on the Purdue network. These devices can be used to attack other organizations through Distributed Denial of Service attacks (DDoS). A remote, unauthenticated attacker may also be able to execute arbitrary code on the device or cause a denial of service to the device. To prevent the Purdue network from being a launch point for devastating attacks across the internet, we ask that you review your SSDP configuration, disable the Universal Plug and Play (UPnP) functionality on the device, or deploy firewall rules to allow only trusted hosts on inbound port 1900/udp.

==SYSTEMS AFFECTED==

Publicly accessible devices that have SSDP running and answering queries including, but not limited to:

Network Printers
IP Cameras
Storage Systems
Media Servers

==DETAILS==

Source: us-cert .gov/ncas/alerts/TA14-017A

A Distributed Reflective Denial of Service (DRDoS) attack is an emerging form of Distributed Denial of Service (DDoS) that relies on the use of publicly accessible UDP servers, as well as bandwidth amplification factors, to overwhelm a victim system with UDP traffic. Publicly accessible devices that have the Simple Service Discovery Protocol (SSDP) running and answering queries can be used to conduct such attacks towards web sites, servers, and services. These attacks can deny legitimate service to authorized users as well as cause performance side-effects for smaller networks.

UDP, by design, is a connection-less protocol that does not validate source IP addresses. Unless the application-layer protocol uses countermeasures such as session initiation, it is very easy to forge the IP packet datagram to include an arbitrary source IP address. When many UDP packets have their source IP address forged to a single address, the server responds to that victim, creating a reflected Denial of Service (DoS) Attack.

Attacks originating from the Purdue network can lead to subnet blacklisting and harm to Purdue's reputation.

==SOLUTIONS==

Disable the Universal Plug and Play (UPnP) functionality / SSDP service on the device
-or-
Deploy firewall rules to allow only trusted hosts on inbound port 1900/udp

==FURTHER INFORMATION AND RESOURCES==

us-cert .gov/ncas/alerts/TA14-017A
www. kb.cert .org/vuls/id/922681
community.rapid7 .com/docs/DOC-2150
ssdpscan.shadowserver .org

(remove spaces from links)

==STEAM-CIRT CONTACT INFORMATION==

For questions concerning this advisory, please send email to:
itap-securityhelp@purdue.edu.

Report computer-related abuse to steam-cirt:
purdue .edu/securePurdue/incidentReportForm.cfm
purdue .edu/securepurdue/steam

(remove spaces from links)

Posted by ITSP on August 08, 2014, in Advisory Alerts.