Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:50 PM
Connect Directly

Vulnerability in Plug-and-Play Protocol Puts Billions of Devices at Risk

"CallStranger" flaw in UPnP allows attackers to launch DDoS attacks and scan internal ports, security researcher says.

Billions of network-connected devices, such as printers, routers, smart TVs, and video game consoles, are open to attack via a security vulnerability in a protocol that allows the devices to communicate with each other.

Nearly 5.5 million of the vulnerable devices are currently publicly accessible over the Internet and can be used to launch denial-of-service (DoS) attacks against targeted systems or enable data theft, Carnegie Mellon University's CERT Coordination Center said this week. The vulnerability — called CallStranger (CVE-2020-12695) — enables attackers to use a vulnerable Internet-connected device to bypass security mechanisms and scan internal ports for other similarly vulnerable devices on enterprises' local area networks.

"The [vulnerability] permits an attacker to send large amounts of data to arbitrary destinations accessible over the Internet, which could lead to a Distributed Denial of Service (DDoS), data exfiltration, and other unexpected network behavior," the CERT Coordination Center warned in an alert.

Yunus Cadirci, a Turkey-based security researcher, discovered the flaw last December and reported it to the Open Connectivity Foundation (OCF), the group that manages the Universal Plug and Play (UPnP) protocol in which the bug exists. The problem, specifically, is associated with an UPnP function called SUBSCRIBE that allows devices to monitor the status of other network-connected UPnP services and devices. Attackers can take control of the function via specifically crafted SUBSCRIBE requests over HTTP.

OCF updated the UPnP protocol specification on April 17 to address the issue and has notified vendors and ISPs about the need to upgrade to the new specification. However, because the flaw lies at the protocol level, it could take a long time before all vendors address the issue, Cadirici said on a website set up exclusively to describe the vulnerability and its impact.

The researcher posted a detailed technical description of the vulnerability and proof-of-concept code to exploit it on GitHub. He listed devices from over 20 vendors, including Microsoft, Cisco, Canon, HP, and Philips, as confirmed as being affected. The status of products from dozens of other vendors remains currently unknown, though it is more than likely they are impacted as well. A wide range of plug-in-play products is impacted, including Xbox gaming consoles, printers, routers, switches, and cameras.

"The CallStranger vulnerability exists because the 'Callback' header value in the UPnP SUBSCRIBE function is not checked," says Satnam Narang, staff research engineer at Tenable. "To exploit the flaw, an attacker could stuff their request with a large volume of target URLs across multiple vulnerable devices, overwhelming their target's resources [and] resulting in a denial of service," he says.

PoC Code Released
With PoC code now available, an attacker could easily scan for and collect a list of vulnerable devices that are publicly accessible. They could then modify or create their own script to launch a DDoS attack against a target of their choosing using the vulnerable devices they've identified, he says.

"If a single device on a network has a vulnerable version of UPnP connected to the Internet, an attacker could use the flaw to perform a port scan of the internal network for potentially vulnerable devices," Narang notes.

Craig Young, a security researcher with Tripwire's vulnerability and exposure research team (VERT), says the problem with UPnP is that it is designed from the ground up, without any regard for security. In most cases, devices running the protocol implicitly trust requests from other devices on the local network without any prior authentication.

"I cannot think of any legitimate reason why anyone would want to expose UPnP directly to the Internet," Young says.

The CallStranger vulnerability gives attackers a way to launch DDoS attacks and steal data, he says. "When talking about stealing data with UPnP, it absolutely depends on the device," Young says. 

Connected media devices, for example, often reveal unique identifiers. Similarly, printers may allow monitoring of print status, and routers may give detailed information about the names and addresses of devices on the network.

"In general, though, all of these problems exist independent of CallStranger through web browser-based attacks," Young says. "If you load a web page while connected to the same network as UPnP-enabled devices, that web page can, in most cases, start accessing the UPnP devices."

In its alert, the CERT Coordination Center urged organizations to disable UPnP on all Internet-accessible interfaces. It also advised device manufacturers to disable the SUBSCRIBE capability in their default configurations, so users would need to explicitly enable the feature with restrictions to limit usage within a trusted LAN.

Related Content:


Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really  bad day" in cybersecurity. Click for more information and to register
Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
6/11/2020 | 12:17:08 PM
Interesting article, but this is a mute point since most of the devices are behind FWs

With PoC code now available, an attacker could easily scan for and collect a list of vulnerable devices that are publicly accessible.

From my understanding, most of the printers are behind firewalls; however, if there is lateral/horizontal movement, the end-user or admin has bigger problems that need to be addressed (per the statement made by the speaker). In certain instances, I can see where certain cameras might be affected because they are connected directly to the internet (traffic cameras) and some of their IP Addresses are made public, but I am not sure how many IOT devices are connected directly to the internet. There is a site on the web that indicates a number of devices connected directly to the internet but that is part of another conversation - https://www.shodan.io/explore

I do see limitations in the statements made but it is possible, we just need to remain vigilant. A possible remidy would be to connect using SHA Hash 256 to the OS because the system could determine if the hash was found on the network or a token process where a PIN is used (a number of printers have this capability but most people don't use it).

COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/17/2020
APT Groups Set Sights on Linux Targets: Inside the Trend
Kelly Sheridan, Staff Editor, Dark Reading,  9/11/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-18
Directory traversal vulnerability in WHR-G54S firmware 1.43 and earlier allows an attacker to access sensitive information such as setting values via unspecified vectors.
PUBLISHED: 2020-09-18
Cross-site scripting vulnerability in WHR-G54S firmware 1.43 and earlier allows remote attackers to inject arbitrary script via a specially crafted page.
PUBLISHED: 2020-09-18
UNIQLO App for Android versions 7.3.3 and earlier allows remote attackers to lead a user to access an arbitrary website via the vulnerable App. As a result, if the access destination is a malicious website, the user may fall victim to the social engineering attack.
PUBLISHED: 2020-09-18
UNIQLO App for Android versions 7.3.3 and earlier allows remote attackers to lead a user to access an arbitrary website via a malicious App created by the third party. As a result, if the access destination is a malicious website, the user may fall victim to the social engineering attack.
PUBLISHED: 2020-09-18
** DISPUTED ** A buffer overflow vulnerability exists in the mg_get_http_header function in Cesanta Mongoose 6.18 due to a lack of bounds checking. A crafted HTTP header can exploit this bug. NOTE: a committer has stated "this will not happen in practice."