Security Architecture, Endpoint/Device Security, IoT, Network Security, Network Security, Security Strategy, Plan, Budget, Vulnerability Management, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

CallStranger bug in billions of devices can enable data exfiltration, DoS attacks

Billions of Internet of Things and Local Area Network devices that rely on the Universal Plug and Play (UPnP) protocol for discovery of and interaction with other devices are vulnerable to "CallStranger," a bug that can be exploited to exfiltrate data, launch a denial of service attack or scan ports.

The Windows 10 operating system, the Xbox One gaming console, and various models of printers, modems, televisions and routers are among the many products affected.

Officially designated CVE-2020-12695, the bug is specifically located within UPnP's SUBSCRIBE capability and is caused by a callback header value that can be controlled by attackers, allowing them to send large quantities of traffic to arbitrary destinations, reported the CERT/CC in a security advisory.

In that sense, the vulnerability is similar in nature to a server-side request forgery (SSRF) flaw, according to a web page created by the researcher who discovered the flaw, Yunus Çadirci, cyber security senior manager at EY Turkey. (A detailed technical report can be found here.)

Adversaries can take advantage of CallStranger in order to bypass data loss prevention protections and network security devices and ultimately exfiltrate sensitive data. They can also leverage internet-facing devices to perform reflect Transmission Control Protocol (TCP) DDoS attacks as well as to scan ports.

"We see data exfiltration as the biggest risk of CallStranger. Checking logs is critical if any threat actor used this in the past," Çadirci wrote. "Because it also can be used for DDoS, we expect botnets will start implementing this new technique by consuming end-user devices. Because of the latest UPnP vulnerabilities, enterprises blocked Internet exposed UPnP devices so we don't expect to see port scanning from Internet to Intranet but Intranet2Intranet may be an issue."

"This UPnP SUBSCRIBE attack looks to be a pretty effective method for DDoSing a target -- not as effective as the memcached attack, but more effective than a regular old SYN flood, but it is predicated on one key misconfiguration, and that's having UPnP exposed to the internet in the first place," said Tod Beardsley, director of research at Rapid7. "ISPs really should be doing a better job at limiting this traffic -- it has a well-known port associated, and is easy to spot and filter. Similarly, would-be targets can trivially defend against this traffic just by virtue of it being UPnP -- an edge IPS or next-gen firewall can trivially identify and drop offending traffic."

"As for the exfiltration aspect, that's similarly easy to defend against -- just don't expose UPnP," Beardsley continued. "Of course, if you're already exposing UPnP, you're probably doing it by accident and are more than likely unaware that you're exposing it, which means that you're unlikely to be reading security news articles like this one."

The Open Connectivity Foundation (OCF), which was alerted to the flaw last Dec. 20, patched the issue by updating the UPnP specification back on April 17. Public disclosure of the vulnerability was withheld until Monday, however, at the request of various vendors and ISPs. Indeed, it may take some time for all affected manufacturers to patch their UPnP stack.

In addition to downloading the new UPnP specification, users are strongly advised to disable the protocol on internet-accessible interfaces if there is no business purpose for it, as employing UPnP over the internet is not advised.

Meanwhile, device manufacturers "are urged to disable the UPnP SUBSCRIBE capability in their default configuration and to require users to explicitly enable SUBSCRIBE with any appropriate network restrictions to limit its usage to a trusted local area network," the CERT/CC wrote.

Çadirci's write-up also has additional recommendations for home users, ISPs, vendors and enterprises.

Other products confirmed to be affected include the ADB TNR-5720SX Box, Asus ASUS Media Streamer, Asus Rt-N11, Belkin WeMo, Broadcom ADSL Modems, Canon Canon SELPHY CP1200 Printer, Cisco X1000, Cisco X3500, D-Link DVG-N5412SP WPS Router, EPSON EP/EW/XP Series, HP Deskjet/Photosmart/ Officejet ENVY Series, Huawei HG255s Router, NEC AccessTechnica WR8165N Router, Philips 2k14MTK TV, Samsung UE55MU7000 TV, Samsung MU8000 TV, TP-Link TL-WA801ND, Trendnet TV-IP551W and Zyxel VMG8324-B10A.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.