UPnP ‘CallStranger’ Vulnerability Affects Billions of Devices

A security researcher has discovered a vulnerability in Universal Plug and Play (UPnP) that could let attackers control networked devices. The organization that maintains the protocol has already issued a patch.

A protocol as widespread as UPnP presents significant security problems, mostly because, even when vulnerabilities are found and fixed, it takes a long time before those patches reach the devices, if they ever do. The sad truth is that many IoT devices that implement UPnP won’t get the update, leaving them exposed for as long as they are operational.

UPnP is a protocol that allows devices on the same network to talk to each other. Since devices that usually implement UPnP are designed for closed, trusted networks, it doesn’t have an authentication process alongside it.

The vulnerability, dubbed CallStranger (CVE-2020-12695), “is caused by Callback header value in UPnP SUBSCRIBE function can be controlled by an attacker and enables an SSRF-like vulnerability which affects millions of Internet-facing and billions of LAN devices,” reads the advisory.

If exploited, an attacker could bypass DLP and network security to exfiltrate data, to use Internet-facing UPnP devices as a source of amplified reflected TCP DDoS, and to scan ports from Internet-facing UPnP devices.

The vulnerability has far-reaching implications because it’s difficult to quantify just how many devices are affected. In any case, it’s up to manufacturers to fix the problem and push updates down to consumers, but that process takes a lot of time. Some vulnerabilities found years ago remain unpatched even today.

The researcher explains that all supported Windows version, Xbox One, most TVs and routers are affected by the vulnerability. A compressive list is available, but it’s not complete, by any means.