Vulnerability in Plug-and-Play Protocol Puts Billions of Devices at Risk

CallStranger flaw in UPnP allows attackers to launch DDoS attacks and scan internal ports, security researcher says.

4 Min Read

Billions of network-connected devices, such as printers, routers, smart TVs, and video game consoles, are open to attack via a security vulnerability in a protocol that allows the devices to communicate with each other.

Nearly 5.5 million of the vulnerable devices are currently publicly accessible over the Internet and can be used to launch denial-of-service (DoS) attacks against targeted systems or enable data theft, Carnegie Mellon University's CERT Coordination Center said this week. The vulnerability — called CallStranger (CVE-2020-12695) — enables attackers to use a vulnerable Internet-connected device to bypass security mechanisms and scan internal ports for other similarly vulnerable devices on enterprises' local area networks.

"The [vulnerability] permits an attacker to send large amounts of data to arbitrary destinations accessible over the Internet, which could lead to a Distributed Denial of Service (DDoS), data exfiltration, and other unexpected network behavior," the CERT Coordination Center warned in an alert.

Yunus Cadirci, a Turkey-based security researcher, discovered the flaw last December and reported it to the Open Connectivity Foundation (OCF), the group that manages the Universal Plug and Play (UPnP) protocol in which the bug exists. The problem, specifically, is associated with an UPnP function called SUBSCRIBE that allows devices to monitor the status of other network-connected UPnP services and devices. Attackers can take control of the function via specifically crafted SUBSCRIBE requests over HTTP.

OCF updated the UPnP protocol specification on April 17 to address the issue and has notified vendors and ISPs about the need to upgrade to the new specification. However, because the flaw lies at the protocol level, it could take a long time before all vendors address the issue, Cadirici said on a website set up exclusively to describe the vulnerability and its impact.

The researcher posted a detailed technical description of the vulnerability and proof-of-concept code to exploit it on GitHub. He listed devices from over 20 vendors, including Microsoft, Cisco, Canon, HP, and Philips, as confirmed as being affected. The status of products from dozens of other vendors remains currently unknown, though it is more than likely they are impacted as well. A wide range of plug-in-play products is impacted, including Xbox gaming consoles, printers, routers, switches, and cameras.

"The CallStranger vulnerability exists because the 'Callback' header value in the UPnP SUBSCRIBE function is not checked," says Satnam Narang, staff research engineer at Tenable. "To exploit the flaw, an attacker could stuff their request with a large volume of target URLs across multiple vulnerable devices, overwhelming their target's resources [and] resulting in a denial of service," he says.

PoC Code Released
With PoC code now available, an attacker could easily scan for and collect a list of vulnerable devices that are publicly accessible. They could then modify or create their own script to launch a DDoS attack against a target of their choosing using the vulnerable devices they've identified, he says.

"If a single device on a network has a vulnerable version of UPnP connected to the Internet, an attacker could use the flaw to perform a port scan of the internal network for potentially vulnerable devices," Narang notes.

Craig Young, a security researcher with Tripwire's vulnerability and exposure research team (VERT), says the problem with UPnP is that it is designed from the ground up, without any regard for security. In most cases, devices running the protocol implicitly trust requests from other devices on the local network without any prior authentication.

"I cannot think of any legitimate reason why anyone would want to expose UPnP directly to the Internet," Young says.

The CallStranger vulnerability gives attackers a way to launch DDoS attacks and steal data, he says. "When talking about stealing data with UPnP, it absolutely depends on the device," Young says. 

Connected media devices, for example, often reveal unique identifiers. Similarly, printers may allow monitoring of print status, and routers may give detailed information about the names and addresses of devices on the network.

"In general, though, all of these problems exist independent of CallStranger through web browser-based attacks," Young says. "If you load a web page while connected to the same network as UPnP-enabled devices, that web page can, in most cases, start accessing the UPnP devices."

In its alert, the CERT Coordination Center urged organizations to disable UPnP on all Internet-accessible interfaces. It also advised device manufacturers to disable the SUBSCRIBE capability in their default configurations, so users would need to explicitly enable the feature with restrictions to limit usage within a trusted LAN.

Related Content:








Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really  bad day" in cybersecurity. Click for more information and to register

About the Author(s)

Jai Vijayan, Contributing Writer

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights