Vulnerabilities in routers keep popping up from time to time. Three weeks ago, we learned of the existence of a vulnerability in the USB ports of many routers on the market. Now we have discovered another serious vulnerability that affects the UPnP of routers, and that turns it into a launching pad for attacks against other devices on the network.
The vulnerability has been discovered by Akamai researchers, and has been dubbed Eternal Silence. The flaw allows an attacker to abuse Universal Plug and Play (UPnP) and turn a router into a proxy to launch attacks while hiding the location of the attackers.
UPnP: open ports conveniently
UPnP is an optional protocol on modern routers, but most routers have it enabled by default for convenience. Thanks to it, the devices that we have connected to the router, either by WiFi or by Ethernet, can automatically open ports on the router without having to go to the configuration to open them manually.
However, although it is much more comfortable, in return we are also putting our security at risk; especially if the implementation is vulnerable. In this case, if a WAN connection is exposed , an attacker can remotely open ports on our router.
Akamai states that it has observed several attackers exploiting this vulnerability . Of the 3.5 million routers with UPnP that are connected, 277,000 are vulnerable to UPnProxy, which is how the origin of the attack was initially baptized. Of those, 45,113 have already been infected by hackers.
problem router
According to Akamai, attackers are looking to exploit EternalBlue and EternalRed on Windows and Linux. Both vulnerabilities have been patched for years, but many devices are not up to date. If they are successful in carrying out the attack, they can install mining scripts, steal passwords, or install ransomware.
The code injections seek to open TCP ports 139 and 445 on devices connected to the router. NAT protected them from these vulnerabilities as there was no way to access them remotely. However, this attack opens the door to a new wave of attacked devices.
From Akamai they have created a bash script to check if we are vulnerable to the attack. If you discover a device infected by Eternal Silence, you need to reset the device and leave it as it was from the factory, for which it is convenient that you use a clip and click on the hidden button that the routers have on the back. Only then will you be able to completely eliminate the infection. At the same time, it is convenient to check that we have the latest security patches installed.
List of vulnerable devices
In total we found 48 affected brands and 120 models . One of the most affected models is ASUS , with many models that are among the best sellers on the market. For example, the RT-AC66U is an ” Amazon’s Choice ” product, with over 900 reviews. There are also many models from D-Link, Netgear, Tenda, Ubiquiti or Zyxel , so there may be millions of people affected as they are very popular routers.
The full listing includes routers from ASUS (DSL-AC68R, DSL-AC68U, DSL-N55U), Anker (N600), Belkin (F5D8635-4 v1, F9K1113 v5), D-Link (DIR-601, DIR-615, DIR -620, DIR-825…), Edimax (3G6200N, 3G6200NL, BR-6204WG…), MSI (RG300EX, RG300EX Lite, RG300EX Lite II), NETGEAR (R2000, WNDR3700, WNDR4300v2, WNR2000v4), OpenWRT, Sitecom (WLR- 7100v1002 (X7 AC1200), WLR-1000…), Ubiquiti, ZTE or ZyXel (NBG4615 Internet Sharing Gateway, NBG5715 router, X150N Internet Gateway Device…).