The CallStranger UPnP vulnerability affects billions of devices

Security experts discovered a new UPnP vulnerability, dubbed Call Stranger, that affects billions of devices and could be exploited for various malicious activities.

Security experts disclosed a new UPnP vulnerability, named Call Stranger, that affects billions of devices and could be exploited for various malicious activities. that affects billions of devices, it could be exploited by attackers to carry out multiple malicious activities, including distributed denial-of-service (DDoS) attacks and data exfiltration.

The Universal Plug and Play (UPnP) is a set of networking protocols that permits networked devices, such as personal computers, printers, Internet gateways, Wi-Fi access points and mobile devices to seamlessly discover each other’s presence on the network and establish functional network services for data sharing, communications, and entertainment. 

According to the CERT Coordination Center (CERT/CC), the UPnP protocol in effect prior to April 17, 2020 can be abused to send traffic to arbitrary destinations using the SUBSCRIBE functionality.

“A vulnerability in the UPnP SUBSCRIBE capability permits an attacker to send large amounts of data to arbitrary destinations accessible over the Internet, which could lead to a Distributed Denial of Service (DDoS), data exfiltration, and other unexpected network behavior.” reads the alert published by CERT/CC. “The OCF has updated the UPnP specifications to address this issue. This vulnerability has been assigned CVE-2020-12695 and is also known as Call Stranger.”

The vulnerability, tracked as CVE-2020-12695, could allow attackers to send large amounts of data to arbitrary destinations exposed online.

The vulnerability, which is tracked as CVE-2020-12695 and is referred to as CallStranger, could be abused by remote, unauthenticated attackers to carry out DDoS assaults, bypass security systems and exfiltrate data, and scan internal ports.

Experts pointed out that despite UPnP services should not be exposed on the Internet, a recent Shodan scan revealed the presence of millions of devices exposing them online.

The CallStranger flaw was discovered by Yunus Çadırcı from EY Turkey.

The CallStranger vulnerability is caused by the fact that the Callback header value in the UPnP SUBSCRIBE function can be controlled by an attacker, it enables an SSRF-like vulnerability which affects millions of devices exposed on the Internet and billions of LAN devices.

Çadırcı explained that vulnerability can used for:

• Bypassing DLP and network security devices to exfiltrate data
• Using millions of Internet-facing UPnP device as source of amplified reflected TCP DDoS (not same with https://www.cloudflare.com/learning/ddos/ssdp-ddos-attack/ )
• Scanning internal ports from Internet facing UPnP devices

Vendors could mitigate the Callstranger issue by implementing the updated Open Connectivity Foundation (OCF) UPnP protocol specification.

Unfortunately, this CVE-2020-12695 issue is a protocol vulnerability, this means that vendors could take a long time to release security patches.

To mitigate the issue manufacturers should disable the UPnP SUBSCRIBE capability in default configurations, and ensure that explicit user consent is required to enable SUBSCRIBE with any appropriate network restrictions. Experts also recommend disabling the UPnP protocol on devices exposed online.

The researcher believes that botnets might soon start exploiting the flaw to launch DDoS attacks abusing end-user devices.

“Because it also can be used for DDoS, we expect botnets will start implementing this new technique by consuming end user devices. Because of the latest UPnP vulnerabilities,enterprises blocked Internet exposed UPnP devices so we don’t expect to see port scanning from Internet to Intranet but Intranet2Intranet may be an issue.” concludes the expert.

The list of confirmed vulnerable devices includes Windows PCs, Xbox One- OS Version 10.0.19041.2494, TVs and network devices from Asus, Belkin, Broadcom, Cisco, Dell, D-Link, Huawei, Netgear, Samsung, TP-Link, ZTE, and others.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – UPnP, cybersecurity)

[adrotate banner=”5″]

[adrotate banner=”13″]