Portmapper Vulnerability - Virgin Media Security Alert telling me to block port 111 on my router

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Portmapper Vulnerability - Virgin Media Security Alert telling me to block port 111 on my router

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Portmapper Vulnerability - Virgin Media Security Alert telling me to block port 111 on my router
Portmapper Vulnerability - Virgin Media Security Alert telling me to block port 111 on my router
2024-04-04 12:49:39 - last edited 2024-04-07 01:47:54
Model: Deco X20  
Hardware Version:
Firmware Version:

 

I keep getting emails (sporadically) from Virgin Media (my ISP) saying 'Your home devices could be at risk'. I have had two such in the last 7 days.

Extracting their key message:

START

Since we last wrote to you we have again been alerted that a device connected to your home network has been identified as having a potential Portmapper vulnerability.

A Portmapper vulnerability is a security issue whereby a 3rd party can use this protocol to gain unauthorised access to your network/devices for malicious purposes. If a 3rd party has access to your network/devices they will be able to perform a Distributed Denial of Service (DDoS) attack.

It is therefore important that you follow the advice in this letter.

What has happened?

We suspect the device may have been misconfigured by you, someone in your household or without your knowledge. If the settings are left unchanged they can be exploited to unwittingly participate in malicious activities, for example a Distributed Denial of Service (DDoS) attack.

Details:

IP: 81.109.90.249

Date: 02 April 2024

How can this issue be resolved?

To fix this problem please visit virginmedia.com/portmapper for guidance on how to secure your network.

END

I use the supplied Virgin Media Hub as a modem and the Deco X20 provides my routing. So effectively the Virgin Media Hub is 'dumb' and the X20 controls my Firewall.

Looking at the VM site about Open Portmapper Vulnerability it says:

START

Portmapper (also known as RPC Bind or RPC Portmap) is a service used by computer systems to assist with networking tasks. Unfortunately, Portmapper currently has a bug that can allow remote third-party attackers to gain unauthorised access and perform Distributed Denial of Service (DDoS) attacks against target machines. A remote attacker can take advantage of this bug by sending a specially crafted request to an affected Portmapper server.

Block external Portmapper traffic

The easiest way to fix an open Portmapper vulnerability is to set your firewall to block UDP port 111.

END

I cannot find any way in the Deco app to look to carry out the blocking as advised by Virgin.

So, three questions:

  1. Is there a way to block the specific port as advised by Virgin Media?
  2. If not does it matter?
  3. Am I protected by my Deco Firewall as a matter of course? That is do I worry or not.

Thanks (in anticipation) for any advice/guidance.

 

  0      
  0      
#1
Options
1 Accepted Solution
Re:Portmapper Vulnerability - Virgin Media Security Alert telling me to block port 111 on my router-Solution
2024-04-05 16:36:35 - last edited 2024-04-07 01:47:54

  @Alexandre. 

Hi.

 

Thanks for your observations and advice.

 

The Virgin SuperHub is in Modem mode. (That is it is bridging I think you said.)

 

I set it some time previously to modem mode as before I had the Deco X20 I had a TP-Link Archer AC1750 Wireless Dual Band Gigabit RouterArcher C7/Archer A7. And that was the instructions for setting it up. However the Archer left me with dead spots when I moved to a bigger house, hence moving to the X20 mesh system. [Of course with the Archer you could configure (and see) ports through its very detailed configuration page which the Deco app can't do.)

 

I followed that same approach when I set up the X20s.

 

Then thinking about it, I have another point to make. I have a Synology NAS (DS220+).

 

This is accessible from outside my LAN by using the Synology Quick Connect app. But when you set up the Synology for external access I remember that the software carries out an automatic configuration of the router opening up various ports as necessary.

 

Remembering this has prompted me to look at the Router Configuration page [part extracted] and it shows thus:

 

So it is the Synology that has opened port 111. I guess I said yes to everything(!!)

 

As I don't use Mac/Linux file server (unless it interacts with QuickConnect) I am going to disable that function which I assume will then close down those particular ports to access through the Firewall.

 

I assume once that is done it will stop any of the Portmapper 'attacks' occurring? 

 

One additional question. I am assuming that at least in the immediate time that I leave my LAN set up as it is. That is the SuperHub in modem mode and the X20s doing the routing. If all else fails I go back to your original recommendation i.e. configure Deco mesh to run in Access Point mode and start a conversation with Virgin Media. 

 

Many thanks for your advice and time. If I need to come back to the TP Home Network Community I will.

 

Chris

 

Recommended Solution
  1  
  1  
#5
Options
5 Reply
Re:Portmapper Vulnerability - Virgin Media Security Alert telling me to block port 111 on my router
2024-04-04 14:34:22 - last edited 2024-04-04 14:48:49

  @ChrisJL_2005 

 

I would recommend not to ignore these messages from Virgin Media. I once got into similar situation with my ISP, they cut off my Internet without extra notice. It took me time and multiple phone calls to ISP Support to restore my Internet connection.

 

As a quick workaround, I suggest restoring Virgin hub to its original Router mode. No other changes to home LAN are necessary. This will make two routers at your home, Hub and Main Deco, but unless yours is a special case where "Double NAT" causes issues, it should work just fine. Google for "Double NAT" to find what are these cases.

The easiest way to find if your home network can run with two routers is restore Virgin hub to original configuration and see. Make sure you keep Hub WiFi turned off.

 

When in original configuration, Virgin hub should protect your home network from Portmapper vulnerability. If it does not, if you still receive emails from Virgin, call their Tech Support and tell them it is now their problem they should be dealing with. It is because with Hub in original configuration it is Hub's firewall that protects your home network.

  1  
  1  
#2
Options
Re:Portmapper Vulnerability - Virgin Media Security Alert telling me to block port 111 on my router
2024-04-05 09:38:06

  @Alexandre. 

 

thank you

 

I am not sure if the Virgin Super hub will let me do as you say. I will give it a go. I have read elsewhere that there can be conflicts. 
 

however, can you answer my other specific questions re: on the X20 Deco.
Most importantly #1 and #3. 
 

 

  1. Is there a way to block the specific port as advised by Virgin Media? 
  2. If not does it matter? 
  3. Am I protected by my Deco Firewall as a matter of course? That is do I worry or not.


I have read some other posts re: port blocking on the Decos that suggest that you cannot control specific ports but in any event the system is tightly locked down and access is only via the Deco app. 

 

Thanks very much. 
 

Chris

  0  
  0  
#3
Options
Re:Portmapper Vulnerability - Virgin Media Security Alert telling me to block port 111 on my router
2024-04-05 14:51:54 - last edited 2024-04-05 16:30:06

ChrisJL_2005 wrote

  @Alexandre. 

 

thank you

 

I am not sure if the Virgin Super hub will let me do as you say. I will give it a go. I have read elsewhere that there can be conflicts. 
 

  @ChrisJL_2005 

 

Virgin Hub will sure can allow you change it to original mode. It is called "factory reset Virgin Hub." Check manual, this will be in troubleshooting section somewhere in "If nothing else helps..." Google it: "factory reset Virgin Hub," and you'll see instructions.

You can also call Virgin Internet Tech Support, tell them you messed with Hub settings but now want it in its original mode and ask them for factory reset. They can either do that for you remotely or guide you through the process. 

 

The process, in fact, is quite straightforward: you need to locate pinhole at the side of the Hub and push it for 10-20-30 seconds (manual or Tech Support can tell for how long). That will force Hub reset all settings you made to it and have it the way you've got it when installed.

 

I have read elsewhere that there can be conflicts. 
 

 

 

Yes, there may be. These conflicts have the name: "Double NAT." You can google "Double NAT" to see what conflicts might be. The easiest to deal with that, if you have these conflicts, would be to configure Deco mesh to run in Access Point mode, after you restored original Hub router settings. 

 

however, can you answer my other specific questions re: on the X20 Deco.
Most importantly #1 and #3. 
 

 

 

  1. Is there a way to block the specific port as advised by Virgin Media? 
  2. If not does it matter? 
  3. Am I protected by my Deco Firewall as a matter of course? That is do I worry or not.

 

 

1. Yes, it is. It appears someone or some app opened port 111 in Deco firewall. If you could find where and how did this happen, you can undo that change. Note that if you did not do that change, whoever or whatever did it may do it again. Hence, enabling firewall on Hub by restoring its factory settings is better approach.

 

2. It matters because Virgin has only two ways of getting your attention: temporary suspend your Internet, or permanently cancel your account which will terminate your Internet services. You do not want to wait till Virgin gets to this point.

 

3. You should be protected by your Deco firewall, but according to Virgin you are currently not. 

 

----------------------------------------

----------------------------------------

 

After re-reading your original post, I have a question for you. You said "I use the supplied Virgin Media Hub as a modem and the Deco X20 provides my routing." For people like me word "modem" has specific meaning. It means you or someone else configured Hub to run in modem (a.k.a. bridge) mode by following these steps:

 

1. Navigate to 192.168.0.1
2. Log in to the Hub
3. Go to 'Modem mode' (on the left) and put the hub into modem mode
4. Wait until the bottom light on the Hub turns magenta / red (HUB 3) (can take about 5 minutes)
5. Plug an Ethernet cable from port 1 on the Hub into the Ethernet port of Main Deco

 

Have you done these or someone else done it for you? Because, if not, your Hub might still be running in its Router mode.

  0  
  0  
#4
Options
Re:Portmapper Vulnerability - Virgin Media Security Alert telling me to block port 111 on my router-Solution
2024-04-05 16:36:35 - last edited 2024-04-07 01:47:54

  @Alexandre. 

Hi.

 

Thanks for your observations and advice.

 

The Virgin SuperHub is in Modem mode. (That is it is bridging I think you said.)

 

I set it some time previously to modem mode as before I had the Deco X20 I had a TP-Link Archer AC1750 Wireless Dual Band Gigabit RouterArcher C7/Archer A7. And that was the instructions for setting it up. However the Archer left me with dead spots when I moved to a bigger house, hence moving to the X20 mesh system. [Of course with the Archer you could configure (and see) ports through its very detailed configuration page which the Deco app can't do.)

 

I followed that same approach when I set up the X20s.

 

Then thinking about it, I have another point to make. I have a Synology NAS (DS220+).

 

This is accessible from outside my LAN by using the Synology Quick Connect app. But when you set up the Synology for external access I remember that the software carries out an automatic configuration of the router opening up various ports as necessary.

 

Remembering this has prompted me to look at the Router Configuration page [part extracted] and it shows thus:

 

So it is the Synology that has opened port 111. I guess I said yes to everything(!!)

 

As I don't use Mac/Linux file server (unless it interacts with QuickConnect) I am going to disable that function which I assume will then close down those particular ports to access through the Firewall.

 

I assume once that is done it will stop any of the Portmapper 'attacks' occurring? 

 

One additional question. I am assuming that at least in the immediate time that I leave my LAN set up as it is. That is the SuperHub in modem mode and the X20s doing the routing. If all else fails I go back to your original recommendation i.e. configure Deco mesh to run in Access Point mode and start a conversation with Virgin Media. 

 

Many thanks for your advice and time. If I need to come back to the TP Home Network Community I will.

 

Chris

 

Recommended Solution
  1  
  1  
#5
Options
Re:Portmapper Vulnerability - Virgin Media Security Alert telling me to block port 111 on my router
2024-04-05 17:24:27

  @ChrisJL_2005 

 

It looks like you have found the culprit. 

 

Disable this in Synology NAS. Also, do you really need external access to your NAS? Because, if you don't, find UPnP setting in Deco app under Advanced and turn it off. That will disable ability for any device or app at your place to automatically open incoming ports in Deco firewall.

 

One of the reasons I didn't enable external access to my Synology NAS is to not have it vulnerable to exploits from the Internet. 

 

After you disabled this function, the only way to be sure this fixes the issue is wait for another email from Virgin or them cutting off your Internet. If that does not happen, it means they are happy with you now.

 

You can keep your current setup, but be aware that more ports you have opened to the Internet, more risks you create. For that reason, I don't do port forwarding on my router and I have its UPnP disabled so that no device or app on my LAN can open its firewall without my explicit approval.

 

If you decided to go with my suggestion of having Hub in Router mode and Deco mesh in AP mode, same recommendation applies to the Hub: turn off its UPnP, unless you understand and accept the risks involved with having it enabled.

 

 

  0  
  0  
#6
Options