Changeset b305eb5b7 in mythtv

Timestamp:

Oct 17, 2014, 4:32:02 PM (10 years ago)

Author:

Stuart Morgan <smorgan@…>

Branches:

fixes/0.27

Children:

c4de5c5e17

Parents:

e830993e8

git-author:

Stuart Morgan <smorgan@…> (10/17/14 16:32:02)

git-committer:

Stuart Morgan <smorgan@…> (10/17/14 18:18:22)

Message:

Security: Disallow SSDP device discovery from non-local addresses.

Protection against MythTV's use in SSDP Reflection attacks.

​https://www.prolexic.com/knowledge-center-ddos-threat-advisory-ssdp-reflection-ddos-attacks.html
​https://www.prolexic.com/kcresources/prolexic-threat-advisories/prolexic-threat-advisory-ssdp-reflection-ddos-attacks/ssdp-reflection-attacks-cybersecurity-locked.html

No CVE assigned yet.

(cherry picked from commit 52cb0b5679a5b20a55ba5cbe6b1064b72c66576f)

File:

• mythtv/libs/libmythupnp/ssdp.cpp (modified) (2 diffs)

mythtv/libs/libmythupnp/ssdp.cpp

@@ -315 +315 @@
 void SSDP::ProcessData( MSocketDevice *pSocket )
 {
+    QHostAddress  peerAddress = pSocket->peerAddress();
+    quint16       peerPort    = pSocket->peerPort   ();
+
+    // Mitigate against SSDP Reflection DDOS attacks
+    // Disallow device discovery from non-local addresses
+    // Security Advisory (Akamai):
+    // https://www.prolexic.com/kcresources/prolexic-threat-advisories/prolexic-threat-advisory-ssdp-reflection-ddos-attacks/ssdp-reflection-attacks-cybersecurity-locked.html
+    // https://www.prolexic.com/knowledge-center-ddos-threat-advisory-ssdp-reflection-ddos-attacks.html
+    //
+    // TODO: We may want to restrict this to the same subnet as the server
+    //       for added security
+    if (((peerAddress.protocol() == QAbstractSocket::IPv4Protocol) &&
+            (!peerAddress.isInSubnet(QHostAddress("172.16.0.0"), 12) &&
+            !peerAddress.isInSubnet(QHostAddress("192.168.0.0"), 16) &&
+            !peerAddress.isInSubnet(QHostAddress("10.0.0.0"), 8))) ||
+        ((peerAddress.protocol() == QAbstractSocket::IPv6Protocol) &&
+            !peerAddress.isInSubnet(pSocket->address(), 64))) // default subnet size is assumed to be /64
+    {
+        LOG(VB_GENERAL, LOG_CRIT, QString("SSDP Request from WAN IP "
+                                            "address (%1). Possible SSDP "
+                                            "Reflection attempt. Ignoring as "
+                                            "security risk.")
+                                                .arg(peerAddress.toString()));
+        pSocket->readAll(); // Discard the data in the socket buffer
+        return;
+    }
+
     QByteArray buffer;
     long nBytes = 0;
@@ -366 +393 @@
             continue;
 
-        QHostAddress  peerAddress = pSocket->peerAddress();
-        quint16       peerPort    = pSocket->peerPort   ();
-
         // ------------------------------------------------------------------
         QString     str          = QString(buffer.constData());