Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

6/9/2020
04:50 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Vulnerability in Plug-and-Play Protocol Puts Billions of Devices at Risk

"CallStranger" flaw in UPnP allows attackers to launch DDoS attacks and scan internal ports, security researcher says.

Billions of network-connected devices, such as printers, routers, smart TVs, and video game consoles, are open to attack via a security vulnerability in a protocol that allows the devices to communicate with each other.

Nearly 5.5 million of the vulnerable devices are currently publicly accessible over the Internet and can be used to launch denial-of-service (DoS) attacks against targeted systems or enable data theft, Carnegie Mellon University's CERT Coordination Center said this week. The vulnerability — called CallStranger (CVE-2020-12695) — enables attackers to use a vulnerable Internet-connected device to bypass security mechanisms and scan internal ports for other similarly vulnerable devices on enterprises' local area networks.

"The [vulnerability] permits an attacker to send large amounts of data to arbitrary destinations accessible over the Internet, which could lead to a Distributed Denial of Service (DDoS), data exfiltration, and other unexpected network behavior," the CERT Coordination Center warned in an alert.

Yunus Cadirci, a Turkey-based security researcher, discovered the flaw last December and reported it to the Open Connectivity Foundation (OCF), the group that manages the Universal Plug and Play (UPnP) protocol in which the bug exists. The problem, specifically, is associated with an UPnP function called SUBSCRIBE that allows devices to monitor the status of other network-connected UPnP services and devices. Attackers can take control of the function via specifically crafted SUBSCRIBE requests over HTTP.

OCF updated the UPnP protocol specification on April 17 to address the issue and has notified vendors and ISPs about the need to upgrade to the new specification. However, because the flaw lies at the protocol level, it could take a long time before all vendors address the issue, Cadirici said on a website set up exclusively to describe the vulnerability and its impact.

The researcher posted a detailed technical description of the vulnerability and proof-of-concept code to exploit it on GitHub. He listed devices from over 20 vendors, including Microsoft, Cisco, Canon, HP, and Philips, as confirmed as being affected. The status of products from dozens of other vendors remains currently unknown, though it is more than likely they are impacted as well. A wide range of plug-in-play products is impacted, including Xbox gaming consoles, printers, routers, switches, and cameras.

"The CallStranger vulnerability exists because the 'Callback' header value in the UPnP SUBSCRIBE function is not checked," says Satnam Narang, staff research engineer at Tenable. "To exploit the flaw, an attacker could stuff their request with a large volume of target URLs across multiple vulnerable devices, overwhelming their target's resources [and] resulting in a denial of service," he says.

PoC Code Released
With PoC code now available, an attacker could easily scan for and collect a list of vulnerable devices that are publicly accessible. They could then modify or create their own script to launch a DDoS attack against a target of their choosing using the vulnerable devices they've identified, he says.

"If a single device on a network has a vulnerable version of UPnP connected to the Internet, an attacker could use the flaw to perform a port scan of the internal network for potentially vulnerable devices," Narang notes.

Craig Young, a security researcher with Tripwire's vulnerability and exposure research team (VERT), says the problem with UPnP is that it is designed from the ground up, without any regard for security. In most cases, devices running the protocol implicitly trust requests from other devices on the local network without any prior authentication.

"I cannot think of any legitimate reason why anyone would want to expose UPnP directly to the Internet," Young says.

The CallStranger vulnerability gives attackers a way to launch DDoS attacks and steal data, he says. "When talking about stealing data with UPnP, it absolutely depends on the device," Young says. 

Connected media devices, for example, often reveal unique identifiers. Similarly, printers may allow monitoring of print status, and routers may give detailed information about the names and addresses of devices on the network.

"In general, though, all of these problems exist independent of CallStranger through web browser-based attacks," Young says. "If you load a web page while connected to the same network as UPnP-enabled devices, that web page can, in most cases, start accessing the UPnP devices."

In its alert, the CERT Coordination Center urged organizations to disable UPnP on all Internet-accessible interfaces. It also advised device manufacturers to disable the SUBSCRIBE capability in their default configurations, so users would need to explicitly enable the feature with restrictions to limit usage within a trusted LAN.

Related Content:

 

 
 
 
 
 
 
Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really  bad day" in cybersecurity. Click for more information and to register
Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
tdsan
50%
50%
tdsan,
User Rank: Ninja
6/11/2020 | 12:17:08 PM
Interesting article, but this is a mute point since most of the devices are behind FWs

With PoC code now available, an attacker could easily scan for and collect a list of vulnerable devices that are publicly accessible.

From my understanding, most of the printers are behind firewalls; however, if there is lateral/horizontal movement, the end-user or admin has bigger problems that need to be addressed (per the statement made by the speaker). In certain instances, I can see where certain cameras might be affected because they are connected directly to the internet (traffic cameras) and some of their IP Addresses are made public, but I am not sure how many IOT devices are connected directly to the internet. There is a site on the web that indicates a number of devices connected directly to the internet but that is part of another conversation - https://www.shodan.io/explore

I do see limitations in the statements made but it is possible, we just need to remain vigilant. A possible remidy would be to connect using SHA Hash 256 to the OS because the system could determine if the hash was found on the network or a token process where a PIN is used (a number of printers have this capability but most people don't use it).

Todd
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/14/2020
Lock-Pickers Face an Uncertain Future Online
Seth Rosenblatt, Contributing Writer,  8/10/2020
Hacking It as a CISO: Advice for Security Leadership
Kelly Sheridan, Staff Editor, Dark Reading,  8/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 New Cybersecurity Vulnerabilities That Could Put Your Enterprise at Risk
In this Dark Reading Tech Digest, we look at the ways security researchers and ethical hackers find critical vulnerabilities and offer insights into how you can fix them before attackers can exploit them.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-17475
PUBLISHED: 2020-08-14
Lack of authentication in the network relays used in MEGVII Koala 2.9.1-c3s allows attackers to grant physical access to anyone by sending packet data to UDP port 5000.
CVE-2020-0255
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2020-10751. Reason: This candidate is a duplicate of CVE-2020-10751. Notes: All CVE users should reference CVE-2020-10751 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidenta...
CVE-2020-14353
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2017-18270. Reason: This candidate is a duplicate of CVE-2017-18270. Notes: All CVE users should reference CVE-2017-18270 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidenta...
CVE-2020-17464
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
CVE-2020-17473
PUBLISHED: 2020-08-14
Lack of mutual authentication in ZKTeco FaceDepot 7B 1.0.213 and ZKBiosecurity Server 1.0.0_20190723 allows an attacker to obtain a long-lasting token by impersonating the server.