Description
A remote code execution from the LAN side has been identified in the UPnP implementation of the Star family of Swisscom routers.
Affected Product
The following Star* platforms are affected:
- Internet Box 2, Internet Box Standard, Internet Box Plus prior to 09.04.00 (August 2018)
- Internet Box light prior to 08.05.02 (August 2018).
Vulnerability
A stack overflow in the LAN UPnP service running on UDP port 1900 of Swisscom Internet-Box devices allows remote code execution. No authentication is required to exploit this vulnerability. Sending a simple UDP packet to port 1900 will allow an attacker to execute code on a remote device. However, this is only possible if the attacker is inside the LAN. Because of ASLR the success rate is not 100% and lead instead to a DoS of the UPnP service. Remaining functionality of the Internet Box is not affected. A reboot of the Internet Box is necessary to attempt the exploit again.
Remediation
Update the Swisscom router (Internet-Box) firmware to the most recent version. Online routers have started receiving the updated firmware since August 2018.
Milestones
2018-06-04 Details communicated with Swisscom CSIRT
2018-06-15 Vulnerability confirmed by the manufacturer
2018-07-09 Patched firmware available
2018-08-01 Start roll-out of updated firmware
2018-09-04 CVE id requested (MITRE)
2018-10-31 Mass roll-out of updated firmware completed
2018-11-01 Advisory published