bluebay2014 - Fotolia
'CallStranger' vulnerability affects billions of UPNP devices
A new vulnerability in the Universal Plug and Play protocol could be used to exfiltrate enterprise data and launch DDoS attacks, and patches may not arrive for a long time.
A newly disclosed vulnerability named "CallStranger" affects billions of connected devices and can be exploited to steal data or initiate large-scale DDoS attacks.
CallStranger was disclosed Monday by Yunus Çadırcı, senior cybersecurity manager at EY Turkey. The vulnerability affects the Universal Plug and Play (UPNP) protocol, which is widely used by a variety for devices, from enterprise routers and IoT devices to video game consoles and smart TVs.
"The vulnerability -- CallStranger -- is caused by Callback header value in UPnP SUBSCRIBE function can be controlled by an attacker and enables an SSRF [server-side request forgery]-like vulnerability, which affects millions of Internet facing and billions of LAN devices," Çadırcı wrote on the research site.
The vulnerability, CVE-2020-12695, can allow unauthorized users to bypass security products such DLP and exfiltrate data or abuse connected devices for DDoS attacks that use TCP amplification.
Çadırcı said data exfiltration is the "biggest risk" for enterprises and advised organizations to check their logs for suspicious activity around UPNP. The threat to consumer devices, he said, is lower but those devices could be compromised and used for DDoS attacks against larger organizations. " Because it also can be used for DDoS, we expect botnets will start implementing this new technique by consuming end user devices," he wrote.
The UPNP protocol was started in 1999 by an industry initiative known as the UPnP Forum; the protocol was designed to simplify network connections for homes and corporate environments. The Open Connectivity Foundation, which assumed control of protocol in 2016, updated its UPNP 2.0 specification in April to address the vulnerability.
However, patches have not yet been released for CallStranger.
"Because this is a protocol vulnerability, it may take a long time for vendors to provide patches," Çadırcı wrote.
Many connected devices will need firmware updates to resolve CallStranger, and IoT devices have historically been difficult to patch because some products are shipped without the ability to receive and install such updates.
In a post on CallStranger, vulnerability management vendor Tenable said it expects more vulnerable devices to be identified and patched as time goes on.
"[M]anufacturers of affected devices are in the process of determining its impact," Tenable wrote in the blog post. "As a result, we anticipate newly affected devices will be reported and patches will be released over time for devices still receiving product support."
In the meantime, Çadırcı advised enterprises to "take their own actions" by blocking UPNP ports for connected devices that don't need the functionality and blocking all SUBSCRIBE and NOTIFY HTTP packets in ingress and egress traffic to security products. In addition, he recommended ISPs block access to widely used UPnP control and eventing ports that are accessible on the public internet.
Çadırcı first discovered the vulnerability late last year and reported it to the Open Connectivity Foundation on Dec. 12. Public disclosure of CallStranger was pushed back several times beyond the traditional 90-day deadline because several vendors and ISPs requested more time.
The CallStranger research site lists a number of vulnerable products from leading vendors such as Microsoft, Cisco, Broadcom and Samsung, as well as a list of additional devices that could be affected but have yet to be confirmed by the vendors.