CVE-2020-12695: CallStranger Vulnerability in Universal Plug and Play (UPnP) Puts Billions of Devices At Risk
Universal Plug and Play (UPnP), a ubiquitous protocol used by “billions of devices,” may be vulnerable to data exfiltration and reflected amplified TCP distributed denial of service (DDoS) attacks.
Background
On June 8, researcher Yunus Çadirci published an advisory for CallStranger, a vulnerability in the Universal Plug and Play (UPnP) protocol. UPnP is currently managed by the Open Connectivity Foundation (OCF). As its name implies, UPnP is a protocol designed to allow a variety of networked devices to universally communicate with each other without any special setup or configuration.
Because of its ubiquitous nature, UPnP is used by a wide variety of devices, including personal computers, networking equipment, video game consoles and internet of things (IoT) devices such as smart televisions. As a result, Çadirci says this particular vulnerability potentially affects “billions of devices.”
Analysis
CVE-2020-12695 is a server-side request forgery (SSRF)-like vulnerability in devices that utilize UPnP. The vulnerability exists due to the ability to control the Callback header value in the UPnP SUBSCRIBE function.
Source: CallStranger Technical Report
The SUBSCRIBE function is part of the UPnP standard that allows devices to monitor changes in other devices and services. For example, the PoC published on GitHub shows port 2869 for Microsoft’s Xbox One — which is used to monitor device changes on the network for features like media sharing — as vulnerable.
In order to exploit the flaw, an attacker would need to send a specially crafted HTTP SUBSCRIBE request to a vulnerable device.
An attacker could utilize this vulnerability in the following scenarios:
- Intranet device port scanning to gather additional data from trusted assets within an organization’s LAN, bypassing organizational Data Loss Prevention (DLP) standards.
- Send large amounts of traffic to arbitrary destinations. Targets flooded by the affected devices could crash under the increased network load, resulting in a denial of service (DoS). This is a result of UPnP attempting to establish a TCP handshake with multiple SYN packets for all Callback values in the SUBSCRIBE request.
- Exfiltrate sensitive device data by directing callback information to arbitrary targets.
With the exception of the DoS, these scenarios provide a stealthy method for an attacker to steal data from a compromised network. This sensitive information could potentially open up an organization to further attack.
Proof of concept
The original proof of concept (PoC) created by Çadirci has been added to his GitHub repository.
Solution
Since CallStranger is a protocol-level vulnerability, OCF has made changes to the UPnP protocol specification. Therefore, manufacturers of affected devices are in the process of determining its impact. As a result, we anticipate newly affected devices will be reported and patches will be released over time for devices still receiving product support. Tenable product coverage for this vulnerability can be found in the “identifying affected systems” section below.
At the time this blog post was published, the CallStranger website listed the following operating systems, networking equipment, printers, IoT devices and applications as reportedly vulnerable.
Operating Systems
| Vendor/Model | Version |
|---|---|
| Windows 10 | 10.0.18362.719 |
| Xbox One OS | 10.0.19041.2494 |
Networking Equipment
| Vendor/Model | Version |
|---|---|
| ASUS | RT-N11 |
| Broadcom ADSL | - |
| Cisco Wireless Access Point | WAP150 WAP131 WAP351 |
| D-Link | DVG-N5412SP |
| Huawei | HG255s (HG255sC163B03) HG532e MyBox |
| NEC AccessTechnica | WR8165N |
| Netgear | WNHDE111 |
| Ruckus ZoneDirector | - |
| TP-Link | Archer C50 |
| ZTE | ZXV10 W300 H108N |
| Zyxel | AMG1202-T10B |
Printers
| Vendor/Model | Version |
|---|---|
| Canon Selphy | CP1200 |
| Dell | B1165NFW |
| EPSON EP, EW, XP Series Printers | - |
| Hewlett Packard Deskjet, Photsmart and Officejet ENVY | - |
| Samsung | X4300 |
Internet of Things
| Vendor/Model | Version |
|---|---|
| Canal Digital ADB | TNR-5720 SX |
| Belkin Wemo | - |
| Nokia HomeMusic Media Device | - |
| Panasonic | BB-HCM735 VL-MWN350 |
| Philips | 2k14MTK TV (TPL161E_012.003.039.001) |
| Samsung | UE55MU7000 (T-KTMDEUC-1280.5, BT - S) MU8000 |
| Siemens | CNE1000 |
| Trendnet | TV-IP551W |
Applications
| Vendor/Model | Version |
|---|---|
| ASUS Media Streamer | - |
| LG Smartshare Media | - |
| Sony Media Go Media | - |
| Stream What You Hear | - |
| Ubiquiti UniFi Controller | - |
Identifying affected systems
A list of Tenable plugins to identify this vulnerability will appear here as they’re released. Additionally, the table below lists several Tenable plugins to help identify devices within your network that may have UPnP enabled.
| Plugin ID | Description | Product |
|---|---|---|
| 10829 | UPnP Client Detection | Nessus |
| 35711 | Universal Plug and Play (UPnP) Protocol Detection | Nessus |
| 8061 | UPNP Traffic Detection (Client) | Nessus Network Monitor (NMM) |
| 1948 | UPNP Traffic Detection | Nessus Network Monitor (NMM) |
Get more information
- CallStranger Disclosure Site
- CERT/CC CallStranger Advisory (VU#339275)
- Proof of Concept Code released on GitHub
Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.
Get a free 30-day trial of Tenable.io Vulnerability Management.
Related Articles
CVE-2024-47575: Frequently Asked Questions About FortiJump Zero-Day in FortiManager and FortiManager Cloud
October 23, 2024Frequently asked questions about a zero-day vulnerability in Fortinet’s FortiManager that has reportedly been exploited in the wild.
From Bugs to Breaches: 25 Significant CVEs As MITRE CVE Turns 25
October 22, 2024Twenty five years after the launch of CVE, the Tenable Security Response Team has handpicked 25 vulnerabilities that stand out for their significance.
Oracle October 2024 Critical Patch Update Addresses 198 CVEs
October 15, 2024Oracle addresses 198 CVEs in its fourth quarterly update of 2024 with 334 patches, including 35 critical updates.
Cybersecurity Snapshot: Apply Zero Trust to Critical Infrastructure’s OT/ICS, CSA Advises, as Five Eyes Spotlight Tech Startups’ Security
November 1, 2024Should critical infrastructure orgs boost OT/ICS systems’ security with zero trust? Absolutely, the CSA says. Meanwhile, the Five Eyes countries offer cyber advice to tech startups. Plus, a survey finds “shadow AI” weakening data governance. And get the latest on MFA methods, CISO trends and Uncle Sam’s AI strategy.
FY 2024 State and Local Cybersecurity Grant Program Adds CISA KEV as a Performance Measure
October 31, 2024The CISA Known Exploited Vulnerabilities (KEV) catalog and enhanced logging guidelines are among the new measurement tools added for the 2024 State and Local Cybersecurity Grant Program.
Cybersecurity Snapshot: New Guides Offer Best Practices for Preventing Shadow AI and for Deploying Secure Software Updates
October 25, 2024Looking for help with shadow AI? Want to boost your software updates’ safety? New publications offer valuable tips. Plus, learn why GenAI and data security have become top drivers of cyber strategies. And get the latest on the top “no-nos” for software security; the EU’s new cyber law; and CISOs’ communications with boards.
- Vulnerability Management
- Vulnerability Scanning