A vulnerability in the Universal Plug and Play protocol implemented in billions of devices can be exploited to exfiltrate data, turn them into bots for distributed denial-of-service attacks (DDoS), and scan internal networks.

The bug got the name CallStranger and it affects all devices that run a UPnP version earlier than April 17. Included are all versions of Windows 10, routers, access points, printers, gaming consoles, doorphones, media applications and devices, cameras, television sets.

Triple impact

Universal Plug and Play (UPnP) is used to provide automatic discovery of devices on the network and to provide interaction with them. It is intended for local use on a trusted network as there is no authentication or verification in place.

CallStranger is now identified as CVE-2020-12695 and can be leveraged remotely without authentication. It was discovered by cybersecurity researcher Yunus Çadirci and reported to the Open Connectivity Foundation (OCF) – the organization currently developing UPnP – on December 12, 2019.

The flaw is in UPnP’s SUBSCRIBE function. More specifically, it is caused by the Callback header value, which can be controlled by an attacker “and enables an SSRF-like vulnerability,” Çadirci explains.

According to the researcher, an attacker exploiting CallStranger can bypass network security devices and data loss prevention solutions designed to prevent sending critical/sensitive information outside the corporate network.

“We see data exfiltration as the biggest risk of CallStranger. Checking logs is critical if any threat actor used this in the past,” the researcher highlights, adding that it can also serve the following nefarious purposes:

• – launch amplified reflected TCP DDoS attacks from millions of UPnP devices reachable over the public web
• – scan internal ports from internet-facing UPnP devices

Çadirci wrote a script that can check which devices on the network are susceptible to CallStranger attacks. It essentially finds all UPnP devices, services, and endpoints on the local network.

The CERT Coordination Center at Carnegie Mellon warns that UPnP should not be available over the internet as it opens the door to a host of other vulnerabilities. The recommendation is to implement the latest specifications from the OCF.

A simple search for UPnP on Shodan search engine shows that there are almost 5.5 million devices exposed on the public web.

Long-term fix

Despite a patch being available for almost two months, updating all devices is unlikely to happen any time soon, if ever. It mainly depends on vendors to implement the fix and this takes time when dealing with protocol vulnerabilities. Furthermore, many devices may no longer be supported or are not able to receive updates.

Çadirci says that not all UPnP stacks are vulnerable, though. For instance, miniupnp is not. In lack of an updated UPnP stack, he recommends the following mitigation steps:

• Disable unnecessary UPnP services especially for internet-facing devices/interfaces
• Check Intranet and server networks to be sure UPnP devices (Routers, IP cameras, printers, media gateways, etc.) are not allowing data exfiltration
• Go through network security logs to check if this vulnerability was been used a threat actor
• Contact to ISP/ DDoS protection vendor if their solutions can block traffic generated by UPnP SUBSCRIBE (HTTP NOTIFY)

The information contained in this website is for general information purposes only. The information is gathered from Bleeping Computer, while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.  Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them. Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.