A newly disclosed UPnP vulnerability that affects billions of devices can be exploited for various types of malicious activities, including distributed denial-of-service (DDoS) attacks and data exfiltration.
Designed to facilitate the automatic discovery and interaction with devices on a network, the UPnP protocol is meant for use within trusted local area networks (LANs), as it lacks any form of authentication or verification.
Many commonly used Internet-connected devices include support for UPnP, but the Device Protection service, which adds security features to UPnP, has not been widely adopted.
In an alert published on Monday, the CERT Coordination Center (CERT/CC) warns of a vulnerability that impacts the protocol in effect prior to April 17, when the Open Connectivity Foundation (OCF) updated the UPnP protocol specification. The flaw could allow attackers to send “large amounts of data to arbitrary destinations accessible over the Internet.”
The vulnerability, which is tracked as CVE-2020-12695 and is referred to as CallStranger, could be abused by remote, unauthenticated attackers to carry out DDoS assaults, bypass security systems and exfiltrate data, and scan internal ports.
“Although offering UPnP services on the Internet is generally considered to be a misconfiguration, a number of devices are still available over the Internet according to a recent Shodan scan,” CERT/CC notes.
The vulnerability, discovered by Yunus Çadırcı of EY Turkey, impacts Windows PCs, gaming consoles, TVs and routers from Asus, Belkin, Broadcom, Cisco, Dell, D-Link, Huawei, Netgear, Samsung, TP-Link, ZTE, and possibly many others.
“[The vulnerability] is caused by Callback header value in UPnP SUBSCRIBE function can be controlled by an attacker and enables an SSRF-like vulnerability which affects millions of Internet facing and billions of LAN devices,” Çadırcı explained.
To stay protected, vendors are advised to implement the updated specifications provided by the OCF. Users should keep an eye on vendor support channels for updates implementing the new SUBSCRIBE specification.
Device manufacturers should disable the UPnP SUBSCRIBE capability in default configurations, and ensure that explicit user consent is required to enable SUBSCRIBE with any appropriate network restrictions. Disabling the UPnP protocol on Internet-accessible interfaces is also advised.
“Home users are not expected to be targeted directly. If their internet facing devices have UPnP endpoints, their devices may be used for DDoS source. Ask your ISP if your router has Internet facing UPnP with CallStranger vulnerability — there are millions of consumer devices exposed to Internet. Don’t port forward to UPnP endpoints,” Çadırcı says.
The security researcher also points out that botnets might soon start implementing the technique, by consuming end-user devices. Enterprises might have blocked Internet-exposed UPnP devices, but intranet-to-intranet port scanning is expected to become an issue.
Related: Researchers Use UPnP Protocol to Unmask IPv6 Address
Related: IP-in-IP Vulnerability Affects Devices From Cisco and Others
Related: Microsoft Office for Mac Users Exposed to Macro-Based Attacks