Voyager18 (research)

How to fix the returning CVE-2013-0229 & CVE-2012-5958

CVE-2013-0229 and CVE-2012-5958 have recently reappeared on the radar of cybersecurity professionals. Here, we cover what they are, and how to fix them.

Orani Amroussi | October 04, 2021

There’s a saying: “Everything old is new again.” That may be fine when it comes to fashion and nostalgic movies, but when it comes to “vintage” vulnerabilities, the situation can quickly become dangerous. When a vulnerability like CVE-2013-0229 or CVE-2012-5958 goes unremediated for an extended period of time, sometimes it can be forgotten entirely, or postponed until some later date that is not clearly defined. 

In fact, over half of vulnerabilities exploited are over a year old, with many attackers taking advantage of the fact that a significant segment of the corporate and private world don’t have a comprehensive risk remediation plan in place.

Old vulnerabilities are notoriously easy to exploit, even for relatively unskilled attackers, since proofs of concept are widely available. According to search engine rankings, two very old vulnerabilities, CVE-2013-0229 and CVE-2012-5958, have been very frequently searched in Q3 2022.

As part of Vulcan Cyber’s commitment to improving the security landscape—in large part through Vulcan Remedy Cloud, the world’s largest free and curated database of reliable vulnerability solutions—let’s take a look at what these old vulnerabilities have in common and share what you can do to make sure your organization won’t be affected by either of these commonly searched vulnerabilities. 

What are the CVE-2013-0229 & CVE-2012-5958 vulnerabilities?

CVE-2013-0229 and CVE-2012-5958 are vulnerabilities in open-source universal plug-and-play (UPnP) libraries. CVE-2013-0229 is a vulnerability of MiniUPnP, while CVE-2012-5958 is a vulnerability in libupnp.

Both MiniUPnP and libupnp are APIs that—as the name suggests—allow networked devices to connect and communicate easily. For instance, UPnP can allow printers to join a network and offer connections to any other devices within that network. This is very convenient for accessing shared services, but it comes with a downside.

Many experts insist that UPnP is insecure by its very nature—by allowing devices to connect without authentication, you are essentially creating weak spots within your network where users can bypass authentication controls. Depending on how UPnP devices are configured, they may allow lateral movement within your network, letting attackers reach multiple endpoints once they have gained access to a single one.

Other experts disagree, claiming that well-configured UPnP is very secure and can only be exploited once malware is already active on your network—meaning UPnP is not the root of the problem.

The CVE-2013-0229 vulnerability allows attackers, once inside the network, to initiate a denial of service (DoS) attack on another device within the network, potentially crashing the device. The CVE-2012-5958 vulnerability allows attackers to cause a buffer overflow by passing commands to a networked device. This gives access to unauthorized memory locations, potentially allowing them to execute arbitrary code, corrupting memory, causing crashes, or even permitting access to sensitive information.

Given the years of these vulnerabilities—2013 and 2012—they are nothing new. So why has there been a renewed surge of interest in these issues, and are these vulnerabilities still relevant for your business? Let’s find out.

Do they affect me?

These two vulnerabilities could affect you if you have any devices using MiniUPnPd or libupnp.

Of the two, MiniUPnPd is perhaps the most common. It is a lightweight UPnP daemon that has been implemented in a massive range of network address translation (NAT) devices, particularly routers. The CVE-2013-0229 vulnerability affects all versions of MiniUPnPd up to and including 1.4. According to the CERT organization, many vendor products have been identified as using MiniUPnPd, including Netgear, Belkin, and other manufacturers. Please consult the full list of vendors and products to determine if your devices could be affected.

The second library, libupnp (which was originally known as Intel SDK for UPnP Devices), is also found in a wide range of products. The CVE-2012-5958 vulnerability and similar vulnerabilities affect all versions of libupnp up to and including 1.6.17. According to the CERT organization, over 200 vendor products have been identified as using libupnp, including DLink, Cisco, and other manufacturers. Please consult the full list of vendors and products to determine if your devices could be affected.

Have they been actively exploited in the wild?

These two vulnerabilities were discovered by malware researchers and there has been no known exploit in the wild. Nevertheless, proofs of concept and exploits for both are freely available to the public. And other vulnerabilities in UPnP have been exploited in the wild to often devastating effect. Conficker (aka Downadup) is an old worm (ca. 2009) that takes advantage of UPnP to bypass firewalls and home router security. A similar worm made headlines in 2017, again taking advantage of UPnP to open ports to unauthorized internet connections

As long as UPnP vulnerabilities are not remediated, your systems are at risk.

How do I remediate CVE-2013-0229 & CVE-2012-5958?

To remediate the CVE-2013-0229 vulnerability:

  • Consult the full list of vendors and products at the CERT site to determine which of your devices are potentially affected.
  • Ensure that all devices using MiniUPnPd have been updated to version 1.8.20141022 or later.
  • Block traffic from untrusted hosts on UDP port 5351, since this port is associated with network address translators (NAT), a common source of attacks.

To remediate the CVE-2012-5958 vulnerability:

  • Consult the full list of vendors and products at the CERT site to determine which of your devices are potentially affected.
  • Ensure that all affected devices have been updated to libupnp 1.6.18  or later.
  • Block traffic from untrusted hosts on UDP port 1900, since this port is associated with buffer overflow attacks that make use of this vulnerability.

General mitigation steps:

  • Disable UPnP on all devices where it is not absolutely necessary, particularly routers with access to the open internet.
  • Follow best practices such as disabling guest accounts, requiring authentication for access to sensitive data, and implementing other measures such as Zero Trust to harden your network.

Keep up with emerging vulnerabilities. Get free access to thousands of vulnerabilities and get fix done with Remedy Cloud.

Free for risk owners

Set up in minutes to aggregate and prioritize cyber risk across all your assets and attack vectors.

"Idea for an overwhelmed secops/security team".

Name Namerson
Head of Cyber Security Strategy