Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

CallStranger: UPnP Flaw Affecting Billions of Devices Allows Data Exfiltration, DDoS Attacks

A newly disclosed UPnP vulnerability that affects billions of devices can be exploited for various types of malicious activities, including distributed denial-of-service (DDoS) attacks and data exfiltration.

A newly disclosed UPnP vulnerability that affects billions of devices can be exploited for various types of malicious activities, including distributed denial-of-service (DDoS) attacks and data exfiltration.

Designed to facilitate the automatic discovery and interaction with devices on a network, the UPnP protocol is meant for use within trusted local area networks (LANs), as it lacks any form of authentication or verification.

Many commonly used Internet-connected devices include support for UPnP, but the Device Protection service, which adds security features to UPnP, has not been widely adopted.

In an alert published on Monday, the CERT Coordination Center (CERT/CC) warns of a vulnerability that impacts the protocol in effect prior to April 17, when the Open Connectivity Foundation (OCF) updated the UPnP protocol specification. The flaw could allow attackers to send “large amounts of data to arbitrary destinations accessible over the Internet.”

The vulnerability, which is tracked as CVE-2020-12695 and is referred to as CallStranger, could be abused by remote, unauthenticated attackers to carry out DDoS assaults, bypass security systems and exfiltrate data, and scan internal ports.

“Although offering UPnP services on the Internet is generally considered to be a misconfiguration, a number of devices are still available over the Internet according to a recent Shodan scan,” CERT/CC notes.

Advertisement. Scroll to continue reading.

The vulnerability, discovered by Yunus Çadırcı of EY Turkey, impacts Windows PCs, gaming consoles, TVs and routers from Asus, Belkin, Broadcom, Cisco, Dell, D-Link, Huawei, Netgear, Samsung, TP-Link, ZTE, and possibly many others.

“[The vulnerability] is caused by Callback header value in UPnP SUBSCRIBE function can be controlled by an attacker and enables an SSRF-like vulnerability which affects millions of Internet facing and billions of LAN devices,” Çadırcı explained.

To stay protected, vendors are advised to implement the updated specifications provided by the OCF. Users should keep an eye on vendor support channels for updates implementing the new SUBSCRIBE specification.

Device manufacturers should disable the UPnP SUBSCRIBE capability in default configurations, and ensure that explicit user consent is required to enable SUBSCRIBE with any appropriate network restrictions. Disabling the UPnP protocol on Internet-accessible interfaces is also advised.

“Home users are not expected to be targeted directly. If their internet facing devices have UPnP endpoints, their devices may be used for DDoS source. Ask your ISP if your router has Internet facing UPnP with CallStranger vulnerability — there are millions of consumer devices exposed to Internet. Don’t port forward to UPnP endpoints,” Çadırcı says.

The security researcher also points out that botnets might soon start implementing the technique, by consuming end-user devices. Enterprises might have blocked Internet-exposed UPnP devices, but intranet-to-intranet port scanning is expected to become an issue.

Related: Researchers Use UPnP Protocol to Unmask IPv6 Address

Related: IP-in-IP Vulnerability Affects Devices From Cisco and Others

Related: Microsoft Office for Mac Users Exposed to Macro-Based Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

James Phillips has been promoted to the role of Vice President, Cybersecurity Risk Management at AT&T.

Rafal Los has joined Binary Defense as Chief Strategy Officer.

Tracey Mustacchio has joined Everfox as Chief Marketing Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.