Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

6/9/2020
04:50 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Vulnerability in Plug-and-Play Protocol Puts Billions of Devices at Risk

"CallStranger" flaw in UPnP allows attackers to launch DDoS attacks and scan internal ports, security researcher says.

Billions of network-connected devices, such as printers, routers, smart TVs, and video game consoles, are open to attack via a security vulnerability in a protocol that allows the devices to communicate with each other.

Nearly 5.5 million of the vulnerable devices are currently publicly accessible over the Internet and can be used to launch denial-of-service (DoS) attacks against targeted systems or enable data theft, Carnegie Mellon University's CERT Coordination Center said this week. The vulnerability — called CallStranger (CVE-2020-12695) — enables attackers to use a vulnerable Internet-connected device to bypass security mechanisms and scan internal ports for other similarly vulnerable devices on enterprises' local area networks.

"The [vulnerability] permits an attacker to send large amounts of data to arbitrary destinations accessible over the Internet, which could lead to a Distributed Denial of Service (DDoS), data exfiltration, and other unexpected network behavior," the CERT Coordination Center warned in an alert.

Yunus Cadirci, a Turkey-based security researcher, discovered the flaw last December and reported it to the Open Connectivity Foundation (OCF), the group that manages the Universal Plug and Play (UPnP) protocol in which the bug exists. The problem, specifically, is associated with an UPnP function called SUBSCRIBE that allows devices to monitor the status of other network-connected UPnP services and devices. Attackers can take control of the function via specifically crafted SUBSCRIBE requests over HTTP.

OCF updated the UPnP protocol specification on April 17 to address the issue and has notified vendors and ISPs about the need to upgrade to the new specification. However, because the flaw lies at the protocol level, it could take a long time before all vendors address the issue, Cadirici said on a website set up exclusively to describe the vulnerability and its impact.

The researcher posted a detailed technical description of the vulnerability and proof-of-concept code to exploit it on GitHub. He listed devices from over 20 vendors, including Microsoft, Cisco, Canon, HP, and Philips, as confirmed as being affected. The status of products from dozens of other vendors remains currently unknown, though it is more than likely they are impacted as well. A wide range of plug-in-play products is impacted, including Xbox gaming consoles, printers, routers, switches, and cameras.

"The CallStranger vulnerability exists because the 'Callback' header value in the UPnP SUBSCRIBE function is not checked," says Satnam Narang, staff research engineer at Tenable. "To exploit the flaw, an attacker could stuff their request with a large volume of target URLs across multiple vulnerable devices, overwhelming their target's resources [and] resulting in a denial of service," he says.

PoC Code Released
With PoC code now available, an attacker could easily scan for and collect a list of vulnerable devices that are publicly accessible. They could then modify or create their own script to launch a DDoS attack against a target of their choosing using the vulnerable devices they've identified, he says.

"If a single device on a network has a vulnerable version of UPnP connected to the Internet, an attacker could use the flaw to perform a port scan of the internal network for potentially vulnerable devices," Narang notes.

Craig Young, a security researcher with Tripwire's vulnerability and exposure research team (VERT), says the problem with UPnP is that it is designed from the ground up, without any regard for security. In most cases, devices running the protocol implicitly trust requests from other devices on the local network without any prior authentication.

"I cannot think of any legitimate reason why anyone would want to expose UPnP directly to the Internet," Young says.

The CallStranger vulnerability gives attackers a way to launch DDoS attacks and steal data, he says. "When talking about stealing data with UPnP, it absolutely depends on the device," Young says. 

Connected media devices, for example, often reveal unique identifiers. Similarly, printers may allow monitoring of print status, and routers may give detailed information about the names and addresses of devices on the network.

"In general, though, all of these problems exist independent of CallStranger through web browser-based attacks," Young says. "If you load a web page while connected to the same network as UPnP-enabled devices, that web page can, in most cases, start accessing the UPnP devices."

In its alert, the CERT Coordination Center urged organizations to disable UPnP on all Internet-accessible interfaces. It also advised device manufacturers to disable the SUBSCRIBE capability in their default configurations, so users would need to explicitly enable the feature with restrictions to limit usage within a trusted LAN.

Related Content:

 

 
 
 
 
 
 
Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really  bad day" in cybersecurity. Click for more information and to register
Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
tdsan
50%
50%
tdsan,
User Rank: Ninja
6/11/2020 | 12:17:08 PM
Interesting article, but this is a mute point since most of the devices are behind FWs

With PoC code now available, an attacker could easily scan for and collect a list of vulnerable devices that are publicly accessible.

From my understanding, most of the printers are behind firewalls; however, if there is lateral/horizontal movement, the end-user or admin has bigger problems that need to be addressed (per the statement made by the speaker). In certain instances, I can see where certain cameras might be affected because they are connected directly to the internet (traffic cameras) and some of their IP Addresses are made public, but I am not sure how many IOT devices are connected directly to the internet. There is a site on the web that indicates a number of devices connected directly to the internet but that is part of another conversation - https://www.shodan.io/explore

I do see limitations in the statements made but it is possible, we just need to remain vigilant. A possible remidy would be to connect using SHA Hash 256 to the OS because the system could determine if the hash was found on the network or a token process where a PIN is used (a number of printers have this capability but most people don't use it).

Todd
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
New 'Nanodegree' Program Provides Hands-On Cybersecurity Training
Nicole Ferraro, Contributing Writer,  8/3/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15058
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to elevate privileges because the administrative password can be discovered by sniffing unencrypted UDP traffic.
CVE-2020-15059
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to bypass authentication via a web-administration request that lacks a password parameter.
CVE-2020-15060
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to conduct persistent XSS attacks by leveraging administrative privileges to set a crafted server name.
CVE-2020-15061
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to denial-of-service the device via long input values.
CVE-2020-15062
PUBLISHED: 2020-08-07
DIGITUS DA-70254 4-Port Gigabit Network Hub 2.073.000.E0008 devices allow an attacker on the same network to elevate privileges because the administrative password can be discovered by sniffing unencrypted UDP traffic.