A vulnerability named CallStranger has been discovered, which exploits the Universal Plug-and-Play (UPNP) protocol used by billions of internet-connected devices. These devices are found in our homes, offices, shops, and factories.
The vulnerability was discovered by cybersecurity researcher Yunus Çadirci at EY Turkey in early June 2020. The vulnerability, cataloged under CVE-2020-12695, is described as a “Data Exfiltration & Reflected Amplified TCP DDOS & Port Scan via UPnP SUBSCRIBE Callback.” The vulnerability allows a malicious actor to exploit the UPNP event subscription mechanism, allowing them to launch distributed denial of service (DDOS) attacks, data enumeration, and data exfiltration.
UPNP protocol support is widely popular in devices marketed to home users – “Internet of Things” (IoT) devices that connect to home networks via Wi-Fi. UPNP makes device connectivity to home Wi-Fi an easy task and allows other devices to easily “find” UPNP devices, such as printers and media-sharing devices. UPNP devices will often communicate to cloud services via the internet.
UPNP has also gained popularity beyond devices aimed at consumers, in office IoT devices, and Operational Technology (OT). This extends the vulnerability beyond home users and into the corporate workspace. That said, the risk to enterprises will tend to be minimized as UPNP is generally blocked on corporate networks as a best practice; however, this may not be enough to mitigate the risk on IoT devices that have alternate means of communicating, such as cellular.
The Open Connectivity Foundation (OCF), the body that governs UPNP, had published a fix to address this vulnerability in April 2020. However, because UPNP devices generally do not have robust patching mechanisms in place, many of these devices may remain vulnerable for some time.
Normally, a vulnerability that targets consumer devices would not be of much concern to an IT department, however, the increased prevalence of work-from-home (WFH), particularly during the COVID-19 pandemic lockdown has brought us to the new normal. Employee productivity and company security now extends to private homes and IT departments need to take note!
For WFH employees, encourage those users to carry out software/firmware updates on all their IoT devices. These include Wi-Fi-connected thermostats, security cameras, safety devices, wireless printers, media-sharing devices, and any other internet-connected device. Disabling UPNP is often cited as a best practice, however, this can lead to the devices being unable to function when their IP addresses are refreshed by the home router. Many home users are not technically savvy enough to set up IP reservation on their home routers (or the equipment may lack the ability to do so).
Attention to endpoint security will reduce the risk to company-owned computers and laptops. Therefore, if the home user’s devices are hacked as are result of CallStranger at least the corporate network will be protected.
For corporate networks, block all UPNP traffic if you do not already do so. Additionally, manually disabling the UPNP function on connected devices is strongly recommended. However, you will need to ensure that IP address reservation is configured so that these devices do not lose connectivity from/to them.
Microsoft has released a patch to address vulnerability CVE-2020-1350, a Windows DNS server remote code execution vulnerability. This vulnerability’s exploit is considered “wormable.” The vulnerability has also been in existence for the last 17 years.