92849

GLSA-201701-52

https://sourceforge.net/p/pupnp/bugs/133/

https://sourceforge.net/p/pupnp/code/ci/master/tree/ChangeLog

DSA-3736

https://www.tenable.com/security/research/tra-2017-10

- miniserver: fix binding to ipv6 link-local addresses

  - Fix out-of-bound access in create_url_list()     (CVE-2016-8863)

  - If the error or info log files can not be created, use     stderr and stdout instead.

  - SF Bug Tracker #132 CVE-2016-6255: write files via POST

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update to libupnp 1.6.21 fixes the following security issues :

  - various string handling issues (bsc#898167)

  - CVE-2016-8863: out-of-bounds access (bsc#1006256)

  - CVE-2016-6255: fix for file write via POST (bsc#989948)

The remote host is affected by the vulnerability described in GLSA-201701-52 (libupnp: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in libupnp. Please review       the CVE identifiers referenced below for details.
  Impact :

    A remote attack could arbitrarily write files to a users file system,       cause a Denial of Service condition, or execute arbitrary code.
  Workaround :

    There is no known workaround at this time.

Matthew Garett reports :

Reported this to upstream 8 months ago without response, so: libupnp's default behaviour allows anyone to write to your filesystem.
Seriously. Find a device running a libupnp based server (Shodan says there's rather a lot), and POST a file to /testfile. Then GET /testfile ... and yeah if the server is running as root (it is) and is using / as the web root (probably not, but maybe) this gives full host fs access.

Scott Tenaglia reports :

There is a heap buffer overflow vulnerability in the create_url_list function in upnp/src/gena/gena_device.c.

Two vulnerabilities were discovered in libupnp, a portable SDK for UPnP devices.

  - CVE-2016-6255     Matthew Garret discovered that libupnp by default allows     any user to write to the filesystem of the host running     a libupnp-based server application.

  - CVE-2016-8863     Scott Tenaglia discovered a heap buffer overflow     vulnerability, that can lead to denial of service or     remote code execution.

Scott Tenaglia discovered a heap-based buffer overflow in libupnp4, a portable SDK for UPnP Devices. That can lead to denial of service or remote code execution.

For Debian 7 'Wheezy', these problems have been fixed in version 1.8.0~svn20100507-1.2+deb7u1.

We recommend that you upgrade your libupnp4 packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Scott Tenaglia discovered a heap-based buffer overflow in libupnp, a portable SDK for UPnP Devices. That can lead to denial of service or remote code execution.

For Debian 7 'Wheezy', these problems have been fixed in version 1:1.6.17-1.2+deb7u2.

We recommend that you upgrade your libupnp packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
101590	Fedora 26 : libupnp (2017-23535a31f8)	Nessus	Fedora Local Security Checks	critical
100612	openSUSE Security Update : libupnp (openSUSE-2017-650)	Nessus	SuSE Local Security Checks	critical
97702	Fedora 24 : libupnp (2017-3bd0b2e2c0)	Nessus	Fedora Local Security Checks	critical
97674	Fedora 25 : libupnp (2017-2c29702300)	Nessus	Fedora Local Security Checks	critical
96687	GLSA-201701-52 : libupnp: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	critical
96163	FreeBSD : upnp -- multiple vulnerabilities (244c8288-cc4a-11e6-a475-bcaec524bf84)	Nessus	FreeBSD Local Security Checks	critical
96015	Debian DSA-3736-1 : libupnp - security update	Nessus	Debian Local Security Checks	critical
96009	Debian DLA-748-1 : libupnp4 security update	Nessus	Debian Local Security Checks	critical
96008	Debian DLA-747-1 : libupnp security update	Nessus	Debian Local Security Checks	critical

CVE-2016-8863

CRITICAL

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins

critical

critical

critical

critical

critical

critical

critical

critical

critical