A security researcher has discovered a vulnerability that could abuse attackers to get access to upnp geratas (universal plug and play) from afar and without authentication. The on the name "callstranger" (cve-2020-12695) baptized vulnerability is directly in the upnp protocol and is concerned after drawing up your discoverer yunus cadırcı billion network-finger devices that respond to inquiries via upnp. Several millions of these devices are accessible via the internet.
According to information on the specially established callstranger website, the researcher informed the open connectivity foundation foundation (ocf) at the end of december at the end of december. This has on the 17th. April published an updated, secure protocol version. After comment cadırcıs, however, it was allowed to take a while for most manufacturers based on the updated upnp specification (firmware) updates have developed and deployed. There are also those (iot) cheap gates, which are fundamentally no security updates.
Cadırcı has published a first list of advised (or firmware concerned) and operating systems whose manufacturers already confirmed the attackability and / or who successfully attacked their own proof-of-concept code. You can find various routers as well as network-proof printers, ip cameras, as well as smart turkish ringing and tv. Also windows 10 (probably all versions incl. Server) and the operating system of the xbox one are represented.
Ddos attacks and information theft
Callstranger / cve-2020-12695 is in the subcribe function of the upnp standard, which is essentially serving to query status elevations of other (upnp) devices or services. The field "callback" in the header of a subscribe request indicates to which url (s) the "event message" the answering candy is sent – and just this field is via "callstranger" manipulable by attackers.
In the course of a distributed denial-of-service (ddos) attack, in the course of a distributed denial-of-service (ddos) attack, can be used to send traffic to any objectives in the course of a distributed denial-of-service (ddos) attack, therefore probably the name of the vulnerability. According to cadırcı, according to cadırcı, it is also possible to deal with callstranger over the detour of the equipment achievable from the internet to handle safety mechanisms to explore data from internal networks as well as scan the equipment therein on open ports. Thus, the vulnerability will be achievable not only for the (according to the ios search engine shodan currently over funf million) over the internet, but also for vulnerable devices in the local network for risk.
The researcher has sued the various attack scenarios in an exemplary report. He also published his proof-of-concept code at github – in the form of a script that also betrayed the user, whether and which upnp devices are vulnerable to their own network.
- Callstranger: technical report
- Github repository for callstranger
Upnp ports to the internet thought best
Uber universal plug and play (upnp) can be obtained in the local network, among other things, your services and exchange control commands. This is comfortable and reduces the configuration effort. However, as soon as upnp-fahigal gerate not only respond to requests from the local network, but also from the internet, you become a potential security risk.
Consequently, the cert coordination center of carnegie mellon university in an advisory to callstranger also to disable the upnp function (especially, but not only) if you are accessible by the internet, according to possibility.Cadırcı also recommends that in a corresponding section of its website to callstranger, at least all unused upnp ports accessible from the network to conclude. Safety-relevant devices should block subscribe and notify http packets.