==================================================================== CERT-Renater Note d'Information No. 2020/VULN318 _____________________________________________________________________ DATE : 08/06/2020 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems implementing Universal Plug and Play (UPnP) protocol. ===================================================================== https://www.kb.cert.org/vuls/id/339275 _____________________________________________________________________ Universal Plug and Play (UPnP) SUBSCRIBE can be abused to send traffic to arbitrary destinations Vulnerability Note VU#339275 Original Release Date: 2020-06-08 | Last Revised: 2020-06-08 Overview The Universal Plug and Play (UPnP) protocol in effect prior to April 17, 2020 can be abused to send traffic to arbitrary destinations using SUBSCRIBE functionality. Description The UPnP protocol, as specified by the Open Connectivity Foundation (OCF), is designed to provide automatic discovery and interaction with devices on a network. The UPnP protocol is designed to be used in a trusted local area network (LAN) and the protocol does not implement any form of authentication or verification. Many common Internet-connected devices support UPnP, as noted in previous research from Daniel Garcia (VU#357851) and Rapid7. Garcia presented at DEFCON 2019 and published a scanning and portmapping tool. The UPnP Device Protection service was not widely adopted. A vulnerability in the UPnP SUBSCRIBE capability permits an attacker to send large amounts of data to arbitrary destinations accessible over the Internet, which could lead to a Distributed Denial of Service (DDoS), data exfiltration, and other unexpected network behavior. The OCF has updated the UPnP specifications to address this issue. This vulnerability has been assigned CVE-2020-12695 and is also known as Call Stranger. Although offering UPnP services on the Internet is generally considered to be a misconfiguration, a number of devices are still available over the Internet according to a recent Shodan scan. Impact A remote, unauthenticated attacker may be able to abuse the UPnP SUBSCRIBE capability to send traffic to arbitrary destinations, leading to amplified DDoS attacks and data exfiltration. In general, making UPnP available over the the Internet can pose further security vulnerabilities than the one described in this vulnerability note. Solution Apply updates Vendors are urged to implement the updated specifications provided by the OCF.. Users should monitor vendor support channels for updates that implement the new SUBSCRIBE specification. Disable or Restrict UPnP Disable the UPnP protocol on Internet-accessible interfaces. Device manufacturers are urged to disable the UPnP SUBSCRIBE capability in their default configuration and to require users to explicitly enable SUBSCRIBE with any appropriate network restrictions to limit its usage to a trusted local area network. IDS Signature This Surricata IDS rule looks for any HTTP SUBSCRIBE request to what is likely to be an external network (i.e., not RFC1918 and RFC4193 addresses). Network administrators and ISPs can deploy this signature at the Internet access point to detect any anomalous SUBSCRIBE requests reaching their users. alert http any any -> ![fd00::/8,192.168.0.0/16,10.0.0.0/8,172.16.0.0/12] any (msg:"UPnP SUBSCRIBE request seen to external network VU#339275: CVE- 2020-12695 https://kb.cert.org "; content: "subscribe"; nocase; http_met hod; sid:1367339275;) Acknowledgements This vulnerability was reported by Yunus Çadrici. This document was written by Vijay Sarvepalli. Vendor Information Sierra Wireless Not Affected Notified: 2020-04-16 Updated: 2020-06-08 CVE-2020-12695 Not Affected Vendor Statement No statement is currently available from the vendor regarding this vulnerability. A10 Networks Unknown Notified: 2020-04-16 Updated: 2020-06-08 CVE-2020-12695 Unknown Vendor Statement No statement is currently available from the vendor regarding this vulnerability. ACCESS Unknown Notified: 2020-04-16 Updated: 2020-06-08 CVE-2020-12695 Unknown Vendor Statement No statement is currently available from the vendor regarding this vulnerability. Actelis Networks Unknown Notified: 2020-04-16 Updated: 2020-06-08 CVE-2020-12695 Unknown Vendor Statement No statement is currently available from the vendor regarding this vulnerability. Actiontec Unknown Notified: 2020-04-16 Updated: 2020-06-08 CVE-2020-12695 Unknown Vendor Statement No statement is currently available from the vendor regarding this vulnerability. ADATA Unknown Notified: 2020-04-16 Updated: 2020-06-08 CVE-2020-12695 Unknown Vendor Statement No statement is currently available from the vendor regarding this vulnerability. ADTRAN Unknown Notified: 2020-04-16 Updated: 2020-06-08 CVE-2020-12695 Unknown Vendor Statement No statement is currently available from the vendor regarding this vulnerability. Aerohive Unknown Notified: 2020-04-16 Updated: 2020-06-08 CVE-2020-12695 Unknown Vendor Statement No statement is currently available from the vendor regarding this vulnerability. AhnLab Inc Unknown Notified: 2020-04-16 Updated: 2020-06-08 CVE-2020-12695 Unknown Vendor Statement No statement is currently available from the vendor regarding this vulnerability. AirWatch Unknown Notified: 2020-04-16 Updated: 2020-06-08 CVE-2020-12695 Unknown Vendor Statement No statement is currently available from the vendor regarding this vulnerability. View all 190 vendors References http://callstranger.com https://openconnectivity.org/developer/specifications/upnp-resources/upnp/ https://kb.cert.org/vuls/search/?q=upnp Other Information CVE IDs: CVE-2020-12695 Date Public: 2020-06-08 Date First Published: 2020-06-08 Date Last Updated: 2020-06-08 15:29 UTC Document Revision: 1 ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================