Security-relevant releases for GUPnP issue CVE-2021-33516

jensgeorg · May 24, 2021, 9:43am

Hello,

I just released GUPnP 1.0.7 and GUPnP 1.2.5 which contain an important fix for a potential DNS rebind attack.

A malicious website could trick UPnP services implemented with GUPnP to react to requests coming from that website, leading to e.g. data exfiltration or unwanted or harmful remote calls from said website

Upgrading is strongly recommended.

The relevant commits are
service: Validate host header (ca6ec9dc) · Commits · GNOME / gupnp · GitLab and service: Validate host header (05e964d4) · Commits · GNOME / gupnp · GitLab.

Note: This fix might cause compatibility issues with older broken UPnP clients. CVE id for this is currently pending assignment.

Mitigation: Using a DNS resolver that prevents DNS rebinding

jensgeorg · May 24, 2021, 2:25pm

I accidentally made GUPnP depend on the unreleased 1.2.4 version of GSSDP. This is not necessary, it works fine with 1.2.3.

jensgeorg · May 24, 2021, 2:43pm

I rolled a 1.2.6 with lowered dependencies, sorry again.

system · June 7, 2021, 2:43pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.