-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 PRE-CERT Security Advisory ========================== * Advisory: PRE-SA-2013-01 * Released on: 5 April 2013 * Affected product: Broadcom UPnP daemon on Linksys WRT54GL (v 4.30.16) * Impact: denial of service * Origin: specially crafted UPnP requests * CVSS Base Score: 7.8 Impact Subscore: 6.9 Exploitability Subscore: 10 CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:C) * Credit: Timo Warns (PRESENSE Technologies GmbH) Summary - ------- The Broadcom UPnP daemon used in the Linksys WRT54GL wireless router suffers from an out-of-bounds write vulnerability that allows to remotely crash the daemon without requiring authentication. The vulnerability may also affect other devices and alternative firmwares that also use the UPnP daemon. The soap_action() method of the UPnP daemon copies an incoming SOAP request to a buffer with a fixed size of 8000 bytes. If theĀ incoming request is larger than 8000 bytes, the buffer is written out-of-bounds allowing to crash the UPnP daemon. The Linksys WRT54GL UPnP daemon has the buffer allocated in the bss segment. As it is only followed by a variable that is only used during initialization, the vulnerability is unlikely to allow other impacts than a denial-of-service. However, remote code execution may be possible on other affected devices or alternative firmwares. Solution - -------- No patch is currently available. Disable the UPnP daemon on affected devices. References - ---------- When further information becomes available, this advisory will be updated. The most recent version of this advisory is available at: http://www.pre-cert.de/advisories/PRE-SA-2013-01.txt Contact - -------- PRE-CERT can be reached under precert@pre-secure.de. For PGP key information, refer to http://www.pre-cert.de/. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) iQEcBAEBAgAGBQJRZqejAAoJEI9qFXJ0Ecg6U0gH/1MXW6ByaBElmefnMtnuUHda LfwtcWvBcKDB/sPijr66w6ID1Vetk4Jn2S1VffVQOUSmKUxaIMPAiUAnT0KMUSeY ZUxnZ0Lou01LxHmqdb5j7MsRCH6wt9u+n7st90OuR41rFJu42SWa6vw9XiwONYod UsSRHiYdHowAfvFArJgx+J9h7B/A7Bev9wV0nLN+Ju1XzDx3olenSrAokKOplUwP nGFGSoVC/h1Sw9q0xPY30VYSsKdU1wx08hPSEN+XP6s6srojwbpSmuulQVUA3G2d FAGnxEv059WElRcUHKc3X9JsDdyCGN1qUrxn3qgZYe7HhYSMPovP+ZncbVcWInk= =YHtS -----END PGP SIGNATURE-----