Posted October 13, 2020
@Larian - Please try to find another way to get your data from users instead of trying to use the old Router enabled UPnP port.
UPnP should never have been an internet facing port, but I understand it is misguidedly enabled by default in a lot of old routers settings, and remains a vulnerability in a lot of routers out there.
See Steve Gibsons Shields Up UPnP vulnerability check here https://www.grc.com/x/ne.dll?bh0bkyd2
Click Proceed, then click the big UPnP check
The game makes a network.log in your \Baldurs Gate 3\Bin\ folder
Because I have the routers settings disabling UPnP, the game reports the following ..
[12-10-2020 22:00:16:328][F:\Jenkins\workspace\Repo\FW4\Submission\Stable\LSProjects\Framework\Code\GameNet\PortMapperUPnP .cpp 115 net::PortMapperUPnP::Discover]: [NET] Discovery finished... no usable UPnP enabled routers found
(my bold)
So Larian, expecting people to have a router with the vulnerable UPnP port open to the world is imho a bad practice.
From GRC.Com ..
About UPnP and what this means
Here's what you need to know about Universal Plug n' Play (UPnP):
UPnP has been provided and enabled by default in consumer Internet routers since 2002 or 2003.
Today, any home appliance — TV's, DVD players, game consoles, IP cameras, printers, fax machines, and you-name-it, includes support for UPnP.
UPnP is a “zero-authentication” (no passwords required) system for allowing networked devices to discover and easily connect with each other on a private local network.
Additionally, software such as Skype and BitTorrent, and gaming consoles, which wish to be “seen” on the Internet, are able to use UPnP to open “holes” through the protection normally provided by routers in order to allow “unsolicited” traffic to enter.
THE HUGE MISTAKE IS: No part of UPnP was EVER MEANT to be exposed to the EXTERNAL public Internet. It was only ever meant for private local control of devices and routers. Its exposure gives malicious hackers direct access to the inside of any exposed private network. It was a huge mistake for it ever to be exposed. Router manufacturers are at fault, but all they can do now is offer updated router firmware. Now that the mistake has been made, responsibility rests upon router owners to somehow eliminate that exposure.
..
Larian - If your game depends on this connection to get the data you need to refine how the game works, then going forward (and to help encourage good practices without people unwittingly assuming they need to enable this bad vulnerability again), you need to find another way of securely getting this data without potentially compromising users security.
PS: Do any of your other games do this?
UPnP should never have been an internet facing port, but I understand it is misguidedly enabled by default in a lot of old routers settings, and remains a vulnerability in a lot of routers out there.
See Steve Gibsons Shields Up UPnP vulnerability check here https://www.grc.com/x/ne.dll?bh0bkyd2
Click Proceed, then click the big UPnP check
The game makes a network.log in your \Baldurs Gate 3\Bin\ folder
Because I have the routers settings disabling UPnP, the game reports the following ..
[12-10-2020 22:00:16:328][F:\Jenkins\workspace\Repo\FW4\Submission\Stable\LSProjects\Framework\Code\GameNet\PortMapperUPnP .cpp 115 net::PortMapperUPnP::Discover]: [NET] Discovery finished... no usable UPnP enabled routers found
(my bold)
So Larian, expecting people to have a router with the vulnerable UPnP port open to the world is imho a bad practice.
From GRC.Com ..
About UPnP and what this means
Here's what you need to know about Universal Plug n' Play (UPnP):
UPnP has been provided and enabled by default in consumer Internet routers since 2002 or 2003.
Today, any home appliance — TV's, DVD players, game consoles, IP cameras, printers, fax machines, and you-name-it, includes support for UPnP.
UPnP is a “zero-authentication” (no passwords required) system for allowing networked devices to discover and easily connect with each other on a private local network.
Additionally, software such as Skype and BitTorrent, and gaming consoles, which wish to be “seen” on the Internet, are able to use UPnP to open “holes” through the protection normally provided by routers in order to allow “unsolicited” traffic to enter.
THE HUGE MISTAKE IS: No part of UPnP was EVER MEANT to be exposed to the EXTERNAL public Internet. It was only ever meant for private local control of devices and routers. Its exposure gives malicious hackers direct access to the inside of any exposed private network. It was a huge mistake for it ever to be exposed. Router manufacturers are at fault, but all they can do now is offer updated router firmware. Now that the mistake has been made, responsibility rests upon router owners to somehow eliminate that exposure.
Larian - If your game depends on this connection to get the data you need to refine how the game works, then going forward (and to help encourage good practices without people unwittingly assuming they need to enable this bad vulnerability again), you need to find another way of securely getting this data without potentially compromising users security.
PS: Do any of your other games do this?
Post edited October 13, 2020 by alt3rn1ty
