Billions of devices affected by UPnP vulnerability

By John E Dunn, Sophos

June 10, 2020

Stop us if youíve heard this before but a researcher has uncovered a new security vulnerability affecting many devices running the Universal Plug and Play (UPnP) protocol.

Named CallStranger by discoverer Yunus «adırcı, the potential for trouble with this flaw looks significant for a whole menu of reasons, starting with the gotcha that itís UPnP.

UPnP was invented back in the mists of time to graft the idea of plug-and-play onto the knotty world of home networking.

UPnP meant users didnít have to know how to configure router ports Ė if the device and the home router supported UPnP (often turned on by default), connectivity happened automagically.

But UPnP also allowed more and more devices inside the network to connect to external entities on the internet with no authentication, which is where the trouble started.

Enter CallStranger (CVE-2020-12695), technically a vulnerability in UPnPís SUBSCRIBE function that makes possible what «adırcı describes as a ďServer Side Request Forgery (SSRF)-like vulnerability.Ē

An attacker able to exploit this flaw could use it to co-opt vulnerable devices for DDoS attacks, bypass data loss prevention security to sneak data out of networks, and possibly carry out port scanning to probe for exposed UPnP devices.

Which devices are affected?

Potentially large numbers of devices with UPnP enabled, which includes home routers, modems, smart TVs, printers, cameras, and media gateways. Itís also been enabled on a lot of what might loosely be called Internet of Things (IoT) products, as well as major operating systems such as Windows 10, and even the Xbox games console.

A list of known and suspected vulnerable devices is available on the CallStranger publicity website, but it would be wise not to assume this is definitive (a script is available to poll the network for vulnerable devices).

The one UPnP stack that isnít affected is MiniUPnP, which is used in a sizable chunk of home routers. The problem is itís not easy to tell which devices use this and which donít.

Windows 10 1903 build 10.0.18362.719 is said to be vulnerable, which for consumers would have been updated to 10.0.18363.836 in May.

«adırcı reported the flaw to the group that looks after UPnP, the Open Connectivity Foundation (OCF), in December, and says heís since sent and received hundreds of emails as part of the effort to coordinate a vendor response.

The OCF updated the UPnP specification on 17 April, which means that devices designed after that shouldnít be vulnerable to the issue. «adırcı does say:

Home users are not expected to be targeted directly. If their internet facing devices have UPnP endpoints, their devices may be used for DDoS source.

Nevertheless, billions of UPnP devices will still need to be patched. In some cases that will happen but donít hold your breath; many vulnerable devices will probably either never receive an update or will receive one that wonít be applied.

Thatís why itís important to mitigate the problem by at least turning UPnP off if itís not being used, something Naked Security has recommended after previous UPnP scares.  How users do this will vary from device to device but for routers the setting will be buried somewhere in the web interface settings.

Those include the UPnProxy attack on routers uncovered by Akamai in 2018, the Pinkslipbot (aka QakBot/QBot) malware in 2017, and HD Mooreís Unplug Donít Play vulnerabilities in 2013 (the latter echoing the infamous Conficker worm of 2008).

Terms of Use | Copyright © 2002 - 2020 CONSTITUENTWORKS SM  CORPORATION. All rights reserved. | Privacy Statement