A newly disclosed UPnP vulnerability that affects billions of devices can be exploited for various types of malicious activities, including distributed denial-of-service (DDoS) attacks and data exfiltration.
Designed to facilitate the automatic discovery and interaction with devices on a network, the UPnP protocol is meant for use within trusted local area networks (LANs), as it lacks any form of authentication or verification.
Many commonly used Internet-connected devices include support for UPnP, but the Device Protection service, which adds security features to UPnP, has not been widely adopted.
In an alert published on Monday, the CERT Coordination Center (CERT/CC) warns of a vulnerability that impacts the protocol in effect prior to April 17, when the Open Connectivity Foundation (OCF) updated the UPnP protocol specification. The flaw could allow attackers to send “large amounts of data to arbitrary destinations accessible over the Internet.”
The vulnerability, which is tracked as CVE-2020-12695 and is referred to as CallStranger, could be abused by remote, unauthenticated attackers to carry out DDoS assaults, bypass security systems and exfiltrate data, and scan internal ports.
“Although offering UPnP services on the Internet is generally considered to be a misconfiguration, a number of devices are still available over the Internet according to a recent Shodan scan,” CERT/CC notes.
The vulnerability, discovered by Yunus Çadırcı of EY Turkey, impacts Windows PCs, gaming consoles, TVs and routers from Asus, Belkin, Broadcom, Cisco, Dell, D-Link, Huawei, Netgear, Samsung, TP-Link, ZTE, and possibly many others.
“[The vulnerability] is caused by Callback header value in UPnP SUBSCRIBE function can be controlled by an attacker and enables an SSRF-like vulnerability ..
Support the originator by clicking the read the rest link below.
