SASE ROI Calculator

SASE can save your company a lot of money. Use the industry’s-first SASE ROI calculator to quantify the cost savings you can achieve in services, asset consolidation, and labor when deploying Versa SASE.

SASE ROI Calculator

SASE can save your company a lot of money. Use the industry’s-first SASE ROI calculator to quantify the cost savings you can achieve in services, asset consolidation, and labor when deploying Versa SASE.

Top Energy Firm Achieves Comprehensive “Work-From-Anywhere” with Versa SASE

A large, publicly traded energy company operating in all areas of the oil and gas industry has dramatically simplified their network stack and realized huge cost savings with Versa SASE.

Availability and Buying Options in the Emerging SASE Market

EMA evaluates the different SASE vendors and their approaches to architecture, go-to-market, and support for their cloud-delivered and hybrid services.

Gartner Magic Quadrant for WAN Edge Infrastructure

Gartner Magic Quadrant report analyzes the various vendors in the WAN edge market and Versa is positioned as a Leader.

Versa Networks - Explained in 1 minute

Learn about the Versa Secure SD-WAN solution in a high-level, one minute overview.

Versa SASE (Secure Access Service Edge)

SASE is the simplest, most scalable way to continuously secure and connect the millions points of access in and out of the corporate resources regardless of location.

Versa Secure SD-WAN – Simple, Secure, and Reliable Branch to Multi-Cloud Connectivity

Versa Secure SD-WAN is a single software platform that offers multi-layered security and enables multi-cloud connectivity for Enterprises.

The Modern Secure
Network Blog

Research Lab

Internal Network Exposure via UPnP NAT Injection

By Winny Thomas
Principal Security Architect
December 5, 2018

Universal Plug-n-Play – (UPnP) is a suite of protocols that enables a device to discover other devices on a network, configure itself to operate in the network, and advertise its services. This allows a device to locate routers, printers and other resources on a network. UPnP runs on UDP port 1900 and communicates using SOAP messages over HTTP. The actual configuration and management interface are implemented using a SOAP-based HTTP service running over a dynamically allocated TCP port. The UPnP protocol allows management of aspects of a device’s operation to extend support by the protocol implementation on the device and its configuration. An attacker can utilize this functionality to control the behavior of devices, like routers that sit at the boundary of a network, and regulate the flow of traffic between the networks.

A device locates other UPnP capable devices on the network by sending a Simple Service Discovery Protocol (SSDP) message as shown in Figure 1. This is the SSDP M-SEARCH message which is sent to the multicast address on UDP port 1900.

Figure 1: SSDP M-SEARCH multicast message

A UPnP capable device will respond with a unicast SSDP message as shown in Figure 2. The response message, among other things, will inform the querying device of the URI on the UPnP device, which can be queried for further information. The “LOCATION” parameter in the response can be queried to gather device information, like the software type, software version, URL’s of the control interface, etc.

Figure 2: SSDP unicast response message

An attacker can use the URI in the “LOCATION” parameter to send an HTTP GET request and gather information about a device, which can affect the security of a network. The following figures show an excerpt of the HTTP Response to an HTTP GET query sent to the “LOCATOIN” URI. In the case of this device, the “ctl/IPConn” URL can be used to add new NAT rules on the device.

Figure 3: HTTP response to the query sent to the “LOCATION” URI

Private IP addresses are not routable or accessible across the Internet. Network devices, like routers, can isolate an organization’s internal network from the Internet. In scenarios like these, the internal network won’t be directly accessible from the Internet. However, if the edge router runs UPnP, and if it is misconfigured, an attacker can send SSDP requests to the interface connected to the Internet, and in turn, send configuration commands to the interface. It has been reported [1] that attackers can use UPnP to have NAT rules setup on the external interface of an edge device that redirects incoming traffic on that interface to TCP port 445, or any optional port, on internal hosts. This exposes machines on the internal network that were previously inaccessible. Exposing port 445 opens up machines on the internal network to a wide variety of SMB attacks, including the infamous EternalBlue exploit, and malware’s that employ these exploits. Figure 4 show a UPnP configuration request sent to a device that causes a NAT rule to be setup that forwards traffic arriving on the external interface to an internal host.

Figure 4: UPnP AddPortMapping request to UPnP enable device

UPnP NAT Rule Injection Prevention   

As a security best practice, it is advisable to disable UPnP on a device where it’s not needed, and in the event the service is needed, limit its exposure to internal networks. With UDP port number 1900, used by UPnP, opening on an Internet-facing interface will enable an attacker to access internal networks via injected NAT rules as shown in this blog. Versa VOS™ (formerly FlexVNF) does not have UPnP service running, and therefore, is not affected by this UPnP vulnerability. In addition, the IPS engine in Versa VOS™ (formerly FlexVNF) can detect attempts at NAT rule injection done over UPnP.