Threat Watch

UPNP Vulnerability Found With Capability of Being Used in DDoS Attacks

Originally discovered in December 2019 by Yunus Çadirci, a vulnerability dubbed CallStranger in the Universal Plug and Play (UPNP) protocol takes advantage of a modified UPNP SUBSCRIBE request in order to send responses from UPNP devices to a remote target. Because UPNP has very little authentication or verification of requests, attackers can set an arbitrary remote address in the request headers. UPNP devices will then see this remote address and send the response to the remote address, instead of to the attacker. The size of the response can be significantly larger than the request, which makes this vulnerability likely to be used for traffic amplification in Distributed Denial of Service (DDoS) attacks. The attacker only has to send a small amount of network traffic to cause a much larger volume of traffic to be sent to their intended victim, potentially overwhelming the target’s ability to process the incoming traffic.

ANALYST NOTES

Because this vulnerability affects the whole UPNP protocol, updates may be slow as each company that has a product using the UPNP protocol needs to develop an update, and the updates will need to be installed by end users of the products. A recent fix to the protocol went into effect on April 17, 2020. Binary Defense recommends the following mitigations:

A) Disable UPNP entirely
B) Restrict UPNP to non-Internet accessible devices.

KB Cert has released a Suricata IDS rule for CallStranger:
alert http any any -> ![fd00::/8,192.168.0.0/16,10.0.0.0/8,172.16.0.0/12] any (msg:”UPnP SUBSCRIBE request seen to external network VU#339275: CVE- 2020-12695 https://kb.cert.org “; content: “subscribe”; nocase; http_met hod; sid:1367339275;)
https://kb.cert.org/vuls/id/339275