A new security vulnerability affecting devices running UPnP protocol has been discovered by a researcher named Yunus Çadırcı; dubbed as CallStranger the security flaw could be exploited by remote unauthenticated attackers to perform a number of malicious acts such as data exfiltration and distributed denial-of-service popularly known as DDoS attacks.
UPnP protocol is designed to speed up the process of automatic discovery and to facilitate interaction with devices on a network, it doesn't have any kind of verification or authentication and therefore is supposed to be employed within trusted LANs. Most of the internet-connected devices contain support for UPnP, however, the Device Protection service responsible for adding security features has not been broadly accepted.
The security vulnerability that is being tracked as CVE-2020-12695, affects Windows PCs, TVs, Cisco, Belkin Broadcom, Dell, D-Link, Gaming Consoles, Samsung, routers from Asus, Huawei, ZTE, TP-Link and probably many more.
While giving insights into his discovery, Çadırcı told, “[The vulnerability] is caused by Callback header value in UPnP SUBSCRIBE function can be controlled by an attacker and enables an SSRF-like vulnerability which affects millions of Internet-facing and billions of LAN devices.”
“Home users are not expected to be targeted directly. If their internet-facing devices have UPnP endpoints, their devices may be used for DDoS source. Ask your ISP if your router has Internet-facing UPnP with CallStranger vulnerability — there are millions of consumer devices exposed to the Internet. Don't port forward to UPnP endpoints,” he further added.
“Because it also can be used for DDoS, we expect botnets will start implementing this new technique by consuming end-user devices. Because of the latest UPnP vulnerabilities, enterprises blocked Internet exposed UPnP devices so we don’t expect to see port scanning from the Internet to Intranet but Intranet2Intranet may be an issue.” The researcher concluded.
In order to stay safe, vendors are recommended to act upon the latest specifications put forth by the OCF, and users are advised to actively look out for vendor support channels for updates. Meanwhile, Device manufacturers are advised to disable the UPnP protocol on Internet-obtainable interfaces.
