{"vuid":"VU#339275","idnumber":"339275","name":"Universal Plug and Play (UPnP) SUBSCRIBE can be abused to send traffic to arbitrary destinations","keywords":null,"overview":"### Overview\r\nThe Universal Plug and Play (UPnP) protocol in effect prior to April 17, 2020 can be abused to send traffic to arbitrary destinations using the SUBSCRIBE functionality.\r\n\r\n### Description\r\nThe UPnP protocol, as specified by the Open Connectivity Foundation (OCF), is designed to provide  automatic  discovery and interaction with devices on a network. The UPnP protocol is designed to be used in a trusted local area network (LAN) and the protocol does not implement any form of authentication or verification.\r\n\r\nMany common Internet-connected devices support UPnP, as noted in previous research from Daniel Garcia ([VU#357851](https://www.kb.cert.org/vuls/id/357851)) and [Rapid7](https://blog.rapid7.com/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play/). Garcia presented at [DEFCON 2019](https://www.defcon.org/images/defcon-19/dc-19-presentations/Garcia/DEFCON-19-Garcia-UPnP-Mapping.pdf) and published a scanning and portmapping tool. The UPnP [Device Protection](https://upnp.org/specs/gw/UPnP-gw-DeviceProtection-v1-Service.pdf) service was not widely adopted.\r\n\r\nA vulnerability in the UPnP SUBSCRIBE capability permits an attacker to send large amounts of data to arbitrary destinations accessible over the Internet, which could lead to a Distributed Denial of Service (DDoS), data exfiltration, and other unexpected network behavior. The OCF has [updated the UPnP specification](https://openconnectivity.org/upnp-specs/UPnP-arch-DeviceArchitecture-v2.0-20200417.pdf) to address this issue. This vulnerability has been assigned  CVE-2020-12695 and is also known as [Call Stranger](https://callstranger.com).\r\n\r\nAlthough offering UPnP services on the Internet is generally considered to be a [misconfiguration](https://www.kb.cert.org/vuls/id/357851/), a number of devices are still available over the Internet according to a  [recent Shodan scan](https://www.shodan.io/search?query=upnp).\r\n\r\n### Impact\r\nA remote, unauthenticated attacker may be able to abuse the UPnP SUBSCRIBE capability to send traffic to arbitrary destinations, leading to amplified DDoS attacks and data exfiltration. In general, making UPnP available over the the Internet can pose further security vulnerabilities than the one described in this vulnerability note.\r\n\r\n### Solution\r\n\r\n#### Affected devices\r\nA number of devices have been identified as vulnerable by the security researcher and have been posted at the [CallStranger](https://callstranger.com) website.  There is more information on affected devices in  Tenable's blog on [cve-2020-12695](https://www.tenable.com/blog/cve-2020-12695-callstranger-vulnerability-in-universal-plug-and-play-upnp-puts-billions-of).\r\n\r\n#### Apply updates\r\nVendors are urged to implement the updated [specification](https://openconnectivity.org/upnp-specs/UPnP-arch-DeviceArchitecture-v2.0-20200417.pdf) provided by the OCF.. Users should monitor vendor support channels for updates that implement the new SUBSCRIBE specification.\r\n\r\n#### Disable or Restrict UPnP\r\nDisable the UPnP protocol on Internet-accessible interfaces. Device manufacturers are urged to disable the UPnP SUBSCRIBE capability in their default configuration and to require users to explicitly enable SUBSCRIBE with any appropriate network restrictions  to limit its usage to a trusted local area network.\r\n\r\n#### IDS Signature\r\nThis Surricata IDS rule looks for any HTTP SUBSCRIBE request to what is likely to be an external network (i.e., not RFC1918 and RFC4193 addresses). Network administrators and ISPs can deploy this signature at the Internet access point to detect any anomalous SUBSCRIBE requests reaching their users.\r\n\r\n`alert http any any -> ![fd00::/8,192.168.0.0/16,10.0.0.0/8,172.16.0.0/12] any (msg:\"UPnP SUBSCRIBE request seen to external network VU#339275: CVE-\r\n2020-12695  https://kb.cert.org \"; content: \"subscribe\"; nocase; http_method; sid:1367339275;)`\r\n\r\n### Acknowledgements ###\r\nThis vulnerability was reported by Yunus Çadirci from EY Turkey.\r\n\r\n This document was written by Vijay Sarvepalli.","clean_desc":null,"impact":null,"resolution":null,"workarounds":null,"sysaffected":null,"thanks":null,"author":null,"public":["https://callstranger.com","https://openconnectivity.org/developer/specifications/upnp-resources/upnp/","https://kb.cert.org/vuls/search/?q=upnp","https://github.com/yunuscadirci/CallStranger","https://www.tenable.com/blog/cve-2020-12695-callstranger-vulnerability-in-universal-plug-and-play-upnp-puts-billions-of"],"cveids":["CVE-2020-12695"],"certadvisory":null,"uscerttechnicalalert":null,"datecreated":"2020-06-08T15:29:50.416437Z","publicdate":"2020-06-08T00:00:00Z","datefirstpublished":"2020-06-08T15:29:50.432707Z","dateupdated":"2020-07-08T21:44:36.516038Z","revision":14,"vrda_d1_directreport":null,"vrda_d1_population":null,"vrda_d1_impact":null,"cam_widelyknown":null,"cam_exploitation":null,"cam_internetinfrastructure":null,"cam_population":null,"cam_impact":null,"cam_easeofexploitation":null,"cam_attackeraccessrequired":null,"cam_scorecurrent":null,"cam_scorecurrentwidelyknown":null,"cam_scorecurrentwidelyknownexploited":null,"ipprotocol":null,"cvss_accessvector":null,"cvss_accesscomplexity":null,"cvss_authentication":null,"cvss_confidentialityimpact":null,"cvss_integrityimpact":null,"cvss_availabilityimpact":null,"cvss_exploitablity":null,"cvss_remediationlevel":null,"cvss_reportconfidence":null,"cvss_collateraldamagepotential":null,"cvss_targetdistribution":null,"cvss_securityrequirementscr":null,"cvss_securityrequirementsir":null,"cvss_securityrequirementsar":null,"cvss_basescore":null,"cvss_basevector":null,"cvss_temporalscore":null,"cvss_environmentalscore":null,"cvss_environmentalvector":null,"metric":null,"vulnote":5}