Gargoyle Forum

Hi all,

Recently I've been reading a couple of alarming messages about a widespread UPnP vulnerability.
See here:
https://community.rapid7.com/community/ ... -dont-play

What I'm wondering about; is Gargoyle (running version 1.4.7. firmware on my NetGeart WNDR3700v2 here) vulnerable to this too? Or has this been plugged already?

Urgje

OpenWRT and Gargoyle use miniupnpd v1.6. According to the Rapid7 and this thread http://www.linuxquestions.org/questions ... 175447803/ all security holes in miniupnpd were fixed by v1.4.

So I am not thinking there is a problem with modern versions of Gargoyle. Perhaps someone else would care to comment if they think I am wrong.

But Gargoyle users should be aware the security holes in upnp are found from time to time and as such it is not favored by the most security conscious of IT professionals. If this is the most recent on then the last security hole found in miniupnpd was in 2009. I wish the rest of our software could say the same.

UPNP is disabled by default in Gargoyle and users will need to make up their own minds about whether to enable it or not.

In my view this is a case study in why you should use open source firmware on your router. As mentioned in the report most stock firmware is no longer being updated so if you have a router with a vulnerability you are simply stuck unless you can install something like Gargoyle on it to close the hole.

Thanks for the post, it reminds everyone to be vigilant.

Hi pbix,

Thanks for taking the time for your extensive reply.

Good to hear (and see from running the UPnP Exposure Test on GRC.com [https://www.grc.com/x/ne.dll?rh1dkyd2]) that Gargoyle and the version of miniupnp it is running, are safe.

And about everyone once more learning to be vigilant. Security begins and ends with the user, I always teach people.