CVE-2021-29462 – CVE-2021-29462 is a DNS rebinding vulnerability... (How to Fix)

Q: What is the severity of CVE-2021-29462?

CVE-2021-29462 has a CVSS score of 7.6 (HIGH). CVE-2021-29462 is a DNS rebinding vulnerability in the Portable SDK for UPnP Devices (libupnp) that allows attackers to bypass same-origin policy restrictions by manipulating DNS responses. This affects applications using vulnerable versions of the pupnp library to implement UPnP functionality. Attackers could potentially access or control UPnP devices from malicious web pages.

📋 TL;DR

CVE-2021-29462 is a DNS rebinding vulnerability in the Portable SDK for UPnP Devices (libupnp) that allows attackers to bypass same-origin policy restrictions by manipulating DNS responses. This affects applications using vulnerable versions of the pupnp library to implement UPnP functionality. Attackers could potentially access or control UPnP devices from malicious web pages.

💻 Affected Systems

Products:

Portable SDK for UPnP Devices (libupnp)
Applications using libupnp for UPnP functionality

Versions: Versions before 1.14.6

Operating Systems: All platforms running vulnerable libupnp versions

Default Config Vulnerable: ⚠️ Yes

Notes: Any application using the vulnerable libupnp library for UPnP server functionality is affected. The vulnerability is in the server component.

📦 What is this software?

Pupnp by Pupnp Project

View all CVEs affecting Pupnp →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could gain unauthorized access to UPnP-enabled devices on the local network, potentially allowing them to modify network configurations, access sensitive device information, or perform other unauthorized actions.

🟠

Likely Case

Malicious websites could interact with UPnP devices on visitors' local networks, potentially discovering internal devices or performing limited unauthorized actions.

🟢

If Mitigated

With proper DNS resolver protections and network segmentation, the attack surface is significantly reduced, though the vulnerability still exists in the software.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

DNS rebinding attacks require specific conditions but are well-understood attack vectors. Proof-of-concept code exists in security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.14.6 and later

Vendor Advisory: https://github.com/pupnp/pupnp/security/advisories/GHSA-6hqq-w3jq-9fhg

Restart Required: Yes

Instructions:

1. Identify applications using libupnp. 2. Update libupnp to version 1.14.6 or later. 3. Recompile applications if using static linking. 4. Restart affected services or applications.

🔧 Temporary Workarounds

DNS Resolver Protection

all

Configure DNS resolvers to block DNS rebinding attacks

# For dnsmasq: add 'stop-dns-rebind' to configuration
# For Unbound: configure 'private-domain' and 'domain-insecure' appropriately

Network Segmentation

all

Isolate UPnP devices from untrusted networks

🧯 If You Can't Patch

Implement DNS resolver protections that block DNS rebinding attacks
Network segmentation to isolate UPnP devices from potentially malicious traffic sources

🔍 How to Verify

Check if Vulnerable:

Check libupnp version: ldd /path/to/application | grep libupnp, then check version with upnp-config --version or similar

Check Version:

upnp-config --version || strings /path/to/libupnp.so | grep 'libupnp'

Verify Fix Applied:

Verify libupnp version is 1.14.6 or higher: upnp-config --version

📡 Detection & Monitoring

Log Indicators:

Unusual UPnP requests from external IPs
Multiple DNS queries for the same domain with different IPs

Network Indicators:

DNS queries followed by HTTP requests to resolved IPs from browser contexts
UPnP M-SEARCH or other UPnP traffic from unexpected sources

SIEM Query:

source_ip IN (external_ips) AND dest_port=1900 AND protocol=UDP

📊 Metadata

CVE ID: CVE-2021-29462

CVSS v3 Score: 7.6 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L

CWE: CWE-20

Published: April 20, 2021

Last Updated: November 21, 2024

🔗 References

http://www.openwall.com/lists/oss-security/2021/04/20/4 Mailing List,Third Party Advisory
https://github.com/pupnp/pupnp/security/advisories/GHSA-6hqq-w3jq-9fhg Third Party Advisory
http://www.openwall.com/lists/oss-security/2021/04/20/4 Mailing List,Third Party Advisory
https://github.com/pupnp/pupnp/security/advisories/GHSA-6hqq-w3jq-9fhg Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-29462, you might also want to check these: