For various types of malicious activities, including distributed denial-of – service (DDoS ) attacks and data exfiltration, a newly disclosed UPnP vulnerability that affects billions of devices may be exploited.
The UPnP protocol, designed to promote the automatic discovery and interaction with devices on a network, is intended for use within trusted local area networks ( LANs), as it lacks any form of authentication or verification.
Many commonly used Internet-connected devices include UPnP support but not widely adopted the Device Protection service, which adds security features to UPnP.
The CERT Coordination Center (CERT / CC) warns in an alert released on Monday of a vulnerability that impacts the protocol in effect prior to April 17, when the Open Connectivity Foundation (OCF) updated the UPnP protocol specification. The flaw could allow attackers to send “large amounts of data over the Internet accessible to arbitrary destinations.”
The vulnerability, which is tracked as CVE-2020-12695 and referred to as CallStranger, may be exploited by remote, unauthenticated attackers to conduct DDoS assaults, bypass security systems and exfiltrate data, and search internal ports.
“While offering UPnP services on the Internet is generally considered a misconfiguration, according to a recent Shodan scan, there are still a number of devices available over the Internet,” notes CERT / CC.
The bug, discovered by EY Turkey’s Yunus Çadırcı, affects Asus, Belkin, Broadcom, Cisco, Dell, D-Link, Huawei, Netgear, Samsung, TP-Link, ZTE and probably many other Windows PCs, gaming consoles, TVs and routers.
“[The vulnerability] is caused by the Callback header value in the UPnP SUBSCRIBE function that can be controlled by an attacker and allows an SSRF-like vulnerability affecting millions of Internet facing devices and billions of LAN devices,” Çadırcı explained.
Vendors are advised to implement the OCF ‘s updated specifications to stay protected. Users will keep an eye on channels for vendor support for changes incorporating the latest SUBSCRIBE specification.
In default configurations, device manufacturers should disable the UPnP SUBSCRIBE capability and ensure that explicit user consent is required to enable SUBSCRIBE with any appropriate network restrictions. It’s also recommended to disable the UPnP protocol on internet-accessible interfaces.
“Not expected to directly target home users. If their internet facing devices have UPnP endpoints, they may use their devices for the DDoS source. Ask your ISP if your router has an Internet vulnerability facing UPnP with CallStranger-millions of consumer devices are exposed to the Internet. Don’t carry UPnP endpoints forward, “says Çadırcı.
The security researcher also points out that by consuming end-user devices, botnets could soon begin implementation of the technique. Enterprises may have blocked the Internet-exposed UPnP apps, but port scanning intranet-to-intranet is expected to become a issue.
