Security news that informs and inspires

Flaw in Plug-and-Play Protocol Exposes Devices to Data Theft, DDoS Attacks


CallStranger' vulnerability affects billions of UPNP devices Attackers can target a vulnerability in the Universal Plug and Play (UPnP) protocol to steal data, scan networks, and launch distributed denial-of-service attacks, a security researcher said.

The UPnP vulnerability, CallStranger, (CVE-2020-12695) allows attackers to bypass security tools such as data leak prevention (DLP) and firewalls to scan enterprise networks and enter areas on the network they shouldn’t be able to access from outside the network, said Yunus Çadırcı, senior cybersecurity manager at EY Turkey, who discovered the vulnerability late last year. Attackers can also potentially abuse connected devices to launch DDoS attacks via TCP amplification and exfiltrate data from vulnerable UPnP-capable devices.

“Billions of UPNP devices on the local network and millions of UPnP devices on the Internet are exposed,” Çadırcı wrote. “CallStranger is a protocol vulnerability, thus almost all UPnP devices (and probably yours) must be updated.”

The UPnP protocol, designed more than 20 years ago, simplify home and enterprise networking by allowing devices to discover each other on local networks and establish connections to exchange files, share resources (such as printers), and synchronize workloads. Many common Internet-connected devices support UPnP, such as enterprise routers, printers, video cameras, videogame consoles, and smart TVs.

Having UPnP accessible on the Internet is “generally considered to be a misconfiguration,” and there are many devices which are misconfigured in this way, US-CERT said in an advisory. A Shodan scan shows approximately 5.5 million devices with UPnP exposed to the Internet, and that is showing only a subset of vulnerable devices.

Details of the Flaw

The Callback header value in UPnP SUBSCRIBE function can be controlled by an attacker and enables an SSRF [server-side request forgery]-like vulnerability, said Çadırcı. The SUBSCRIBE method allows network nodes to register a URL to receive callbacks under specific conditions. However, UPnP doesn’t implement any form of authentication or verification that the callbacks are coming legitimately from devices on the local network. Since the callback URL is not restricted to the local network, an attacker could potentially send TCP packets containing a malformed callback header value in the SUBSCRIBE function from outside the network. The attacker would be targeting the remote device’s internet-facing interface, but the code would be executed on the UPnP function, which usually runs on internal ports.

The attacker can use the malformed header to take advantage of any connected device which supports UPnP and is accessible on the Internet, such as security cameras, printers, routers, videogame consoles, and smart TVs.

An attacker could harness millions of vulnerable UPnP devices to launch a DDoS attack by bouncing and amplifying TCP traffic between the devices. Çadırcı said it was likely that botnets would begin targeting the vulnerability on consumer devices for this purpose.

“A remote attacker could exploit this vulnerability to cause a distributed denial-of-service condition,” US-CERT said in an alert.

Impact on Enterprises

While consumer devices are vulnerable, the “biggest risk” is probably for enterprises as data can be stolen from vulnerable devices, Çadırcı said. Internet service providers are also at risk.

Since UPnP is so widely used, the attack surface has increased for most organizations, said Curtis Simpson, CISO of Armis. Enterprises already struggle with getting a clear picture of how many IoT devices they have on their network, and the fact that attackers can bypass firewalls and other security tools means there are now more opportunities for bad actors to break into enterprise environments. Bad actors may use the vulnerability in reconnaissance attacks to scan the network, or launch attacks against internal systems.

Çadırcı reported the protocol vulnerability to the Open Connectivity Foundation on Dec. 12. Traditionally, researchers publicly disclose vulnerabilities after 90 days, but Çadırcı gave vendors and ISPs extra time to investigate and deal with the issue. OCF updated the UPnP 2.0 specification in April to address the vulnerability. Devices built or configured after April 17 is likely using the newer specification and would not be vulnerable. Everything else would need to be updated to close the flaw.

"Because this is a protocol vulnerability, it may take a long time for vendors to provide patches," Çadirci said.

The CallStranger website lists products from major vendors such as Microsoft, Cisco, Broadcom, and Samsung that are known to be vulnerable. Çadırcı also published proof-of-concept scripts on GitHub that defenders can use to determine if any of their devices are susceptible to the flaw.

Manufacturers of affected devices are in the process of determining its impact," Tenable wrote in the blog post. "As a result, we anticipate newly affected devices will be reported and patches will be released over time for devices still receiving product support.

Enterprise defenders shouldn’t just wait for CallStranger patches from vendors, because it will take a while for those updates to be rolled out. Many of these connected devices will need a firmware update, and most of them don’t have a mechanism to receive and install them. Many devices will just never get patched and will continue putting the organization at risk until it is replaced with a newer unit.

Protocol vulnerabilities tend to linger for a very long time, said Simpson. While protocols themselves are standardized, hardware and software providers are the ones that have to update their products once the protocols are updated. This makes patching a multi-step process, Simpson said. The number of vulnerable devices will naturally decrease over time as devices fail and are replaced, but patching itself may not make a significant dent.

"Less mature manufacturers and those less concerned about their brand are not likely to patch their code at all," Simpson said.

While waiting for vendors to update the devices, there are steps enterprise defenders can take, such as checking their logs for any suspicious activity around UPnP, and disabling UPnP services in IP cameras, printers, routers, and other devices if there isn’t a business need to have them, Çadırcı said. Defenders should also block all SUBSCRIBE and NOTIFY HTTP packets in traffic. One option is to evaluate whether unsecured UPnP devices even need to be on the network.

ISPs can put some pressure on vendors to update the devices. They should also block access to widely used UPnP control and eventing ports accessible on the public internet.