In a security advisory, Cisco has informed users that a vulnerability in the Universal Plug-and-Play (UPnP) service of Cisco Small Business RV110W, RV130, RV130W, and RV215W routers could allow an unauthenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly, resulting in a denial of service (DoS) condition.

Normally we’d say “patch now”, but you can’t, and you’ll never be able to because a patch isn’t coming.

CVE-2021-34730

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). This vulnerability is listed under CVE-2021-34730. As a result of improper validation of incoming UPnP traffic an attacker could exploit this vulnerability by sending a crafted UPnP request to an affected device.

A successful exploit could allow the attacker to execute arbitrary code as the root user on the underlying operating system, or cause the device to reload, resulting in a DoS condition. “Executing arbitrary code as the root user” is tantamount to “do whatever they like”, which is bad. A CVSS score of 9.8 out of 10 bad. (CVSS can help security teams and developers prioritize threats and allocate resources effectively.)

UPnP

Universal Plug and Play (UPnP) is a set of networking protocols that permit networked devices, like routers, to seamlessly discover each other’s presence on a network and establish functional network services.

From that description alone it should be clear that, from a security point of view, this protocol has no place on an Internet-facing device. Once you have set up your connections to the internal devices there is no reason to leave UPnP enabled. There are plenty of reasons to disable it.

A lot of the problems associated with UPnP-based threats can be linked back to security issues during implementation. Router manufacturers historically have not been very good at securing their UPnP implementations, which often leads to the router not checking input properly. Which is exactly what happened here. Again.

And then there are vulnerabilities in UPnP itself. The most famous one probably is CallStranger, which was caused by the Callback header value in UPnP’s SUBSCRIBE function that can be controlled by an attacker and enables a vulnerability which affected millions of Internet-facing devices.

That particular vulnerability should have been patched by most vendors by now by the way. But CVE-2021-34730 won’t be, here’s why…

No patch

The affected routers have entered the end-of-life process and so Cisco has not released software updates to fix the problem. According to the security advisory, it seems they have no plans to do so either:

“Cisco has not released and will not release software updates to address the vulnerability described in this advisory.” Cisco also says it is not aware of any malicious use of the vulnerability.

Since there are no workarounds that address this vulnerability, the only choice that administrators have is to disable the affected feature (UPnP). Or buy a new router. Since the routers won’t receive any updates for issues in future either, we suggest you do both: Disable UPnP now, and buy a new router soon.

Mitigation

For owners of the affected routers it is particularly important to check that UPnP is disabled both on the WAN and the LAN interface. The WAN interface is set to off by default but that doesn’t mean it hasn’t been changed since. The LAN interface is set to on by default and needs to be turned off. Cisco advises that to disable UPnP on the LAN interface of a device, you do the following:

  • Open the web-based management interface and choose Basic Settings > UPnP.
  • Check the Disable check box.

It is important to disable UPnP on both interfaces because that is the only way to eliminate the vulnerability.

Stay safe, everyone!