UpNp Vulnerability Could Affect Billions of IoT DevicesCalllStranger Flaw Found in Windows 10, Other Connected Devices
Carnegie Mellon University Software Engineering Institute's CERT notification center has posted a warning of a flaw in the Universal Plug and Play protocol that could potentially affect billions of internet-connected devices, leaving them vulnerable to distributed denial-of-service attacks as well as data exfiltration.
The vulnerability, dubbed CallStranger and given the designation of CVE-2020-12695, can be found in billions of UPnP devices, says Yunus Çadırcı, cyber security senior manager with EY Turkey, who uncovered the issue. In the vulnerability note - VU#339275 - published on Tuesday by the CERT notification center states that the UPnP protocol in effect prior to April 17 can be abused through its SUBSCRIBE function.
"The vulnerability - CallStranger - is caused by Callback header value in UPnP SUBSCRIBE function can be controlled by an attacker and enables an SSRF-like vulnerability which affects millions of Internet facing and billions of LAN devices," Çadırcı writes.
In his own research, Zach Varnell, senior appsec consultant at security firm nVisium, has found millions of potentially exposed connected and internet of things devices.
"A quick search of Shodan shows over 5 million devices with UPnP exposed to the internet. At the very least, botnet operators will use this for DDoS attacks. In more serious cases, a vulnerable security camera or printer could give attackers a foothold into a corporate network," Varnell says.
What Is SUBSCRIBE?
The SUBSCRIBE function is part of the UPnP standard that allows devices to monitor changes in other devices and services, according to a research note from security firm Tenable.
"For example, the PoC published on GitHub shows port 2869 for Microsoft's Xbox One - which is used to monitor device changes on the network for features like media sharing - as vulnerable," the Tenable report notes.
So far, 21 devices have been confirmed vulnerable including Windows 10 PCs, Xbox One, smart TVs, printers and routers and another 14 are waiting for external confirmation on whether they are vulnerable, Çadırcı says.
A patch is available, but Çadırcı believes it could take vendors an extended period of time to apply it to their devices, so he is recommending enterprises take their own actions to protect themselves.
"The use of UPnP is about security vs. usability, with some modest upside from usability while clearly continuing to have dubious downside implications for security. Fortunately, in the enterprise context, existing and layered security controls are capable of at least partially mitigating the risk for organizations that have opted to use UPnP," Tim Wade, technical director for the CTO team at security firm Vectra tells Information Security Media Group.
Once exploited the vulnerability will allow:
- Bypassing DLP and network security devices to exfiltrate data;
- Using millions of Internet-facing UPnP device as source of amplified reflected TCP DDoS attacks;
- Scanning internal ports from Internet facing UPnP devices;
The researcher believes malicious actors will primarily use this to exfiltrate data but its ability to create botnet armies will also be a highly prized functionality, according to the report.
Çadırcı does not believe the average home use will be targeted directly by attackers exploiting CVE-2020-12695, but if their internet-facing devices have UPnP endpoints, their devices may be used as part of botnet to participate in DDoS attacks. He suggests people ask their ISP if their router has Internet facing UPnP with the CallStranger vulnerability.
ISPs, in turn, need to check their DSL/Cable routers' UPnP stack and ask the vendor if the router is vulnerability to SUBSCRIBE functions. If so ISPs can block access to well-known UPnP Control and Eventing ports if accessible from Internet, he suggests.
Device manufacturers need to patch their devices with the new UPnP protocol, Çadırcı says.