/

CERTCyberVulnerability

UPnP CallStranger vulnerability

A new critical vulnerability has been detected. It interferes in the UPnP (Universal Plug and Play) protocol directly affecting the majority of Internet of Things (IoT) devices.

Risks

  • Remote code execution
  • Data exfiltration
  • Involuntary participation in a DDoS attack
Ordinateur ayant contracté la vulnérabilité UPnP CallStranger
UPnP CallStranger Vulnerability

Affected Systems

List of systems being updated whose vulnerability is confirmed:

  • Windows 10 – upnphost.dll 10.0.18362.719
  • Xbox One – OS Version 10.0.19041.2494
  • ADB TNR-5720SX Box (TNR-5720SX/v16.4-rc-371-gf5e2289 UPnP/1.0 BH-upnpdev/2.0)
  • ASUS Media Streamer
  • ASUS Rt-N11
  • Belkin WeMo
  • Broadcom ADSL Modems
  • Canon SELPHY CP1200 Printer
  • Cisco X1000 – (LINUX/2.4 UPnP/1.0 BRCM400/1.0)
  • Cisco X3500 – (LINUX/2.4 UPnP/1.0 BRCM400/1.0)
  • D-Link DVG-N5412SP WPS Router (OS 1.0 UPnP/1.0 Realtek/V1.3)
  • Epson EP, EW, XP Series (EPSON_Linux UPnP/1.0 Epson UPnP SDK/1.0)
  • HP Deskjet, Photosmart, Officejet ENVY Series (POSIX, UPnP/1.0, Intel MicroStack/1.0.1347)
  • Huawei HG255s Router – Firmware HG255sC163B03 (ATP UPnP Core)
  • NEC Access Technica WR8165N Router (OS 1.0 UPnP/1.0 Realtek/V1.3)
  • Philips 2k14MTK TV – Firmware TPL161E_012.003.039.001
  • Samsung UE55MU7000 TV – Firmware T-KTMDEUC-1280.5, BT – S
  • Samsung MU8000 TV
  • TP-Link TL-WA801ND (Linux/2.6.36, UPnP/1.0, Portable SDK for UPnP devices/1.6.19)
  • TRENDnet TV-IP551W (OS 1.0 UPnP/1.0 Realtek/V1.3)
  • Zyxel VMG8324-B10A (LINUX/2.6 UPnP/1.0 BRCM400-UPnP/1.0)

Abstract

A vulnerability named CallStranger and numbered CVE-2020-12695 was discovered and privately reported in late 2019 to the Open Connectivity Foundation (#OCF) by the security researcher named Yunus Çadırcı [1].

Many devices are vulnerable, by their direct connection to the Internet, or by their implementation in DMZ and/or via port forwarding mechanisms (#PAT) exhibitors to the Internet.

There is a high probability of exploiting this exposed equipment in order to set up distributed denial of service attacks #DDoS.

In addition, this vulnerability can allow:

  • discover the network services of a local network (via a port scan overcoming perimeter network protections);
  • to infiltrate data, even if the flows leaving the local network are filtered, by equipment (such as proxy servers or devices for protecting sensitive information #DLP).

OCF updated the standard’ specifications on April 17, 2020 and warned most of the concerned sellers that the update should be incorporated into their products. As this vulnerability affects a protocol and a multitude of peripherals, it is very likely that many devices will remain in production for a long time without benefiting from an update.

TEHTRIS NTA

Network Traffic Analysis (NTA)
An NTA appliance can analyze traffic in order to find unusual activities and attacks. It combines behavior analysis, artificial intelligence, and NIDS-type signature-based features.
TEHTRIS NTA also adds a passive audit feature, that can listen to the traffic in order to detect specific vulnerabilities. This is very useful in environments where it would be dangerous to launch active audit operations: OT, production, etc. TEHTRIS NTA is part of the TEHTRIS XDR Platform, allowing security analysts to link information from the systems to the networks.
“>NTA now includes a specific detection rule allowing the detection of the exploitation of this vulnerability within the TEHTRIS XDR
Extended Detection and Response (XDR)
XDR brings a whole new take on cybersecurity. It is a platform that can be easily deployed to combine the power of many powerful sensors like EDR, EPP, SIEM, NTA, Cloud Workload Protection Platforms, honeypots and so on.
TEHTRIS XDR Platform is one of the first, if not the first platform that was able to propose such a cybersecurity model. Delivered through a SaaS model, TEHTRIS XDR Platform allows medium-size to large international companies obtain an extremely efficient technical security solution worldwide. It already caught many state-sponsored hacking groups like APT teams with stealth behaviors (and almost zero weapons). This is definitely the best solution against modern and future threats.
“>XDR Platform.

A regularly updated website containing information about the vulnerability is available at:

https://callstranger.com/

The researcher has made available a detailed report available on GITHUB [2].

 [1] https://twitter.com/yunuscadirci

[2] https://github.com/yunuscadirci/CallStranger/blob/master/CallStranger%20-%20Technical%20Report.pdf

Recommandations

TEHTRIS CERT recommends checking if your equipment directly connected to the Internet does not have the active UPnP protocol and if so, to deactivate it.

In general, the defense in depth principle requires disabling unnecessary services in order to decrease the attack surface of your systems.

If you need advice or help in finding and securing your equipment, the TEHTRIS team is at your disposal at the contact points indicated on our website https://tehtris.com/en/contact/

/// Sources