UPnP vulnerability lets attackers steal data, scan internal networks

A vulnerability (CVE-2020-12695) in Universal Plug and Play (UPnP), which is implemented in billions of networked and IoT devices – personal computers, printers, mobile devices, routers, gaming consoles, Wi-Fi access points, and so on – may allow unauthenticated, remote attackers to exfiltrate data, scan internal networks or make the devices participate in DDoS attacks.


About UPnP

UPnP is a set of networking protocols that allows networked devices to automatically discover and interact with each other when on the same network.

UPnP is intended primarily for residential and SOHO wireless networks. It is designed to be used in a trusted local area network (LAN) and so the protocol does not implement any form of authentication or verification. That’s one of the reasons why some UPnP devices are shipped with the protocol turned off by default and it’s on administrators to enable it, if needed.

The development of the UPnP protocol is managed by the Open Connectivity Foundation (OCF), a standards organization whose goal is to promote the interoperability of connected devices.

About the vulnerability (CVE-2020-12695)

CVE-2020-12695 (aka “CallStranger”) was discovered by security researcher Yunus Çadırcı and privately reported to the OFC in late 2019.

“The vulnerability (…) is caused by Callback header value in UPnP SUBSCRIBE function can be controlled by an attacker and enables an SSRF-like vulnerability which affects millions of Internet facing and billions of LAN devices,” Çadırcı explained.

More technical details are available here but, in short, the vulnerability can be used to bypass DLP and network security devices to exfiltrate data, scan internal ports, and force millions of Internet-facing UPnP devices to become a source of amplified reflected TCP DDoS.

What now?

The Open Connectivity Foundation fixed the vulnerability and updated the UPnP specification on April 17, 2020. They also contacted some affected vendors (those included in Çadırcı’s report).

A Shodan search shows that there are around 5,5 million Internet-facing devices with UPnP enabled out there.

Among the confirmed vulnerable devices are computers running Windows 10, Xbox One, Belkin WeMo home automation devices, printers manufactured by Canon, HP and Epson, Samsung smart TVs, routers and modems manufactured by Broadcom, Cisco, D-Link, Huawei, Zyxel, and more.

CMU’s Software Engineering Institute has also published a vulnerability note for CVE-2020-12695 and will be updating it to list affected devices and links to available patches. They’ve also noted that, in general, making UPnP available over the Internet should be avoided.

“Device manufacturers are urged to disable the UPnP SUBSCRIBE capability in their default configuration and to require users to explicitly enable SUBSCRIBE with any appropriate network restrictions to limit its usage to a trusted local area network,” they advised.

“Vendors are urged to implement the updated specification provided by the OCF. Users should monitor vendor support channels for updates that implement the new SUBSCRIBE specification.”

Çadırcı noted that because CallStranger is a protocol vulnerability, it may take a long time for vendors to provide patches.

“Home users are not expected to be targeted directly. If their internet facing devices have UPnP endpoints, their devices may be used for DDoS source,” he added.

He advised enterprises to check whether devices they use are vulnerable and provided a script that can help them do that, as well as laid out several mitigation actions they can perform.

“We see data exfiltration as the biggest risk of CallStranger. Checking logs is critical if any threat actor used this in the past,” he noted. “Because it also can be used for DDoS, we expect botnets will start implementing this new technique by consuming end user devices. Because of the latest UPnP vulnerabilities, enterprises blocked Internet-exposed UPnP devices so we don’t expect to see port scanning from Internet to Intranet but Intranet to Intranet may be an issue.”

Don't miss