Description

A remote code execution from the LAN side has been identified in the UPnP implementation of the Star family of Swisscom routers.

Affected Product
The following Star* platforms are affected:
-    Internet Box 2, Internet Box Standard, Internet Box Plus prior to 09.04.00 (August 2018)
-    Internet Box light prior to 08.05.02 (August 2018).

Vulnerability

A stack overflow in the LAN UPnP service running on UDP port 1900 of Swisscom Internet-Box devices allows remote code execution. No authentication is required to exploit this vulnerability. Sending a simple UDP packet to port 1900 will allow an attacker to execute code on a remote device. However, this is only possible if the attacker is inside the LAN. Because of ASLR the success rate is not 100% and lead instead to a DoS of the UPnP service. Remaining functionality of the Internet Box is not affected. A reboot of the Internet Box is necessary to attempt the exploit again.

Remediation

Update the Swisscom router (Internet-Box) firmware to the most recent version. Online routers have started receiving the updated firmware since August 2018.

Milestones

2018-06-04   Details communicated with Swisscom CSIRT
2018-06-15   Vulnerability confirmed by the manufacturer
2018-07-09   Patched firmware available
2018-08-01   Start roll-out of updated firmware
2018-09-04   CVE id requested (MITRE)
2018-10-31   Mass roll-out of updated firmware completed
2018-11-01   Advisory published