HTTP being exposed via UPNP

Topics related to system security only
User avatar
imilne
Posts: 13
Joined: 31 May 2023, 05:50

Re: HTTP being exposed via UPNP

Post by imilne »

Just wondering how things are going on investigating this issue?
User avatar
TMzethar
TerraMaster Team
Posts: 1128
Joined: 27 Oct 2020, 16:43

Re: HTTP being exposed via UPNP

Post by TMzethar »

We have identified the problem and are working on resolving it. Please wait for future version updates.
To contact our team, please send email to following addresses, remember to replace (at) with @:
Technical team: support(at)terra-master.com (for technical support)
Service team: service(at)terra-master.com (for purchasing, return, replacement, RMA service)
User avatar
imilne
Posts: 13
Joined: 31 May 2023, 05:50

Re: HTTP being exposed via UPNP

Post by imilne »

Thanks for the update, and looking forward to the patch.
User avatar
imilne
Posts: 13
Joined: 31 May 2023, 05:50

Re: HTTP being exposed via UPNP

Post by imilne »

I noticed this was marked as potentially fixed in 5.1.40 ("Fixed the issue with UPnP port mapping") but I've waited a few versions before updating, and I'm not on 5.1.79.

It's still not fixed from what I can tell, and TOS is requesting port 5443 to be opened. I've tested and confirmed it's accessible from anywhere.

I'll continue to block with a custom miniupnp rule, but this should not be happening - unless there's a toggle setting for it somewhere in the UI that I've not come across yet.
User avatar
imilne
Posts: 13
Joined: 31 May 2023, 05:50

Re: HTTP being exposed via UPNP

Post by imilne »

That should have said "I'm *now* on 5.1.79"
User avatar
TMzethar
TerraMaster Team
Posts: 1128
Joined: 27 Oct 2020, 16:43

Re: HTTP being exposed via UPNP

Post by TMzethar »

The problem has been fixed. Your router may have cache issues that affect its actual performance. Please restart the router to clean them up.
To contact our team, please send email to following addresses, remember to replace (at) with @:
Technical team: support(at)terra-master.com (for technical support)
Service team: service(at)terra-master.com (for purchasing, return, replacement, RMA service)
User avatar
imilne
Posts: 13
Joined: 31 May 2023, 05:50

Re: HTTP being exposed via UPNP

Post by imilne »

Sorry, I have to disagree.

My router (a pi4 running Ubuntu) uses miniupnpd for handling UPnP requests, so it's very easy to see the requests being made, and/or to restart either the pi or the service if I want to start clean.

Active requests are stored in /var/log/upnp.leases and here's a snippet prior to booting the NAS:

Code: Select all

UDP:2003:192.168.0.7:2003:1698518341:DemonwarePortMapping
UDP:2005:192.168.0.8:2005:1698585895:DemonwarePortMapping
UDP:50804:192.168.0.33:50804:1698657834:Teredo 192.168.0.33:50804->50804 UDP
The NAS - using 192.168.0.98 is then booted, and the following will appear:

Code: Select all

TCP:5443:192.168.0.98:5443:1699097725:http_ssl
A simple test (eg via a phone on 4G) proves it's visible from external IPs.

As I said, I can block this using miniupnpd, but I shouldn't have to.

Code: Select all

deny 0-65535 192.168.0.98/32 0-65535
User avatar
crisisacting
Posts: 257
Joined: 20 Jan 2022, 16:42

Re: HTTP being exposed via UPNP

Post by crisisacting »

{L_BUTTON_AT}imilne

Is that request happening even with UPNP disabled on the NAS?
User avatar
imilne
Posts: 13
Joined: 31 May 2023, 05:50

Re: HTTP being exposed via UPNP

Post by imilne »

{L_BUTTON_AT}imilne
crisisacting wrote: 29 Oct 2023, 00:25 Is that request happening even with UPNP disabled on the NAS?
The only UPnP option I can find is under Network|Discovery Service: "Enable UPnP discovery service" and that's definitely disabled. There's also the Remote Access and Remote Assistance apps that are both disabled. Grep-ing the file system and logs finds a few instances of 5443 used here and there but nothing jumps out at me to suggest what service might be making the UPnP call.
User avatar
imilne
Posts: 13
Joined: 31 May 2023, 05:50

Re: HTTP being exposed via UPNP

Post by imilne »

No comments from Terramaster?
Post Reply