Universal Plug and Play (UPnP) SUBSCRIBE can be abused to send traffic to arbitrary destinations

guest · Jun 8, 2020

Universal Plug and Play (UPnP) SUBSCRIBE can be abused to send traffic to arbitrary destinations
Vulnerability Note VU#339275
June 8, 2020
https://kb.cert.org/vuls/id/339275

Overview
The Universal Plug and Play (UPnP) protocol in effect prior to April 17, 2020 can be abused to send traffic to arbitrary destinations using SUBSCRIBE functionality.
Description
The UPnP protocol, as specified by the Open Connectivity Foundation (OCF), is designed to provide automatic discovery and interaction with devices on a network. The UPnP protocol is designed to be used in a trusted local area network (LAN) and the protocol does not implement any form of authentication or verification.

A vulnerability in the UPnP SUBSCRIBE capability permits an attacker to send large amounts of data to arbitrary destinations accessible over the Internet, which could lead to a Distributed Denial of Service (DDoS), data exfiltration, and other unexpected network behavior.
Click to expand...

Impact
A remote, unauthenticated attacker may be able to abuse the UPnP SUBSCRIBE capability to send traffic to arbitrary destinations, leading to amplified DDoS attacks and data exfiltration. In general, making UPnP available over the the Internet can pose further security vulnerabilities than the one described in this vulnerability note.
Click to expand...

guest · Jun 8, 2020

CallStranger vulnerability lets attacks bypass security systems and scan LANs
The CallStranger vulnerability can also be used to launch major DDoS attacks
June 8, 2020
https://www.zdnet.com/article/calls...ttacks-bypass-security-systems-and-scan-lans/

A severe vulnerability resides in a core protocol found in almost all internet of things (IoT) devices.

The vulnerability, named CallStranger, allows attackers to hijack smart devices for distributed denial of service (DDoS) attacks, but also for attacks that bypass security solutions to reach and conduct scans on a victim's internal network -- effectively granting attackers access to areas where they normally wouldn't be able to reach.
CALLSTRANGER BUG IMPACTS UPNP
According to a website dedicated to the CallStranger vulnerability published today, the bug impacts UPnP, which stands for Universal Plug and Play, a collection of protocols that ship on most smart devices.
Click to expand...

CALLSTRANGER -- THE TECHNICAL DETAILS
In December 2019, a security engineer named Yunus Çadirci found a bug in this extremely widespread technology.
Çadirci says that an attacker can send TCP packets to a remote device that contains a malformed callback header value in UPnP's SUBSCRIBE function. [...]
PATCHING TO TAKE A WHILE
Çadirci said he notified the OCF last year, and that the organization has updated the UPnP protocols since his report. These updates to the UPnP protocols have went live on April 17, 2020, and the CERT/CC team says that some vendors are

"Because this is a protocol vulnerability, it may take a long time for vendors to provide patches," Çadirci said today, suggesting that firmware patches may be a long time away.
The CallStranger security flaw is also tracked as CVE-2020-12695. There are currently around 5.45 million UPnP-capable devices connected to the internet, making this an ideal attack surface for IoT botnets and APTs.
Click to expand...

Log in or Sign up

Universal Plug and Play (UPnP) SUBSCRIBE can be abused to send traffic to arbitrary destinations

guest Guest

guest Guest

Log in or Sign up

Universal Plug and Play (UPnP) SUBSCRIBE can be abused to send traffic to arbitrary destinations

guest Guest

guest Guest

Useful Searches