busterb's assessment of CVE-2020-12695 "CallStranger"

Description

The Open Connectivity Foundation UPnP specification before 2020-04-17 does not forbid the acceptance of a subscription request with a delivery URL on a different network segment than the fully qualified event-subscription URL, aka the CallStranger issue.

Add Assessment

kevthehermit (138)

June 09, 2020 7:51am UTC (3 years ago)•

Ratings

Attacker Value

Low

Exploitability

Medium

Unauthenticated Difficult to weaponize

Technical Analysis

This one has a name and a website. – https://callstranger.com/

There is also a github repository that has PoC code, this code will scan your local IP range to determine if you have vulnerable devices. Be aware this POC will send data about your network out to a 3rd party. It claims to encrypt this data, but I have not reviewed the implementation.
It may not have a list of internal UPNP Devices, but it will have a record of your IP, how much data was sent.

https://github.com/yunuscadirci/CallStranger

Root Cause

A Callback header that can be controlled by the attacker in the UPnP SUBSCRIBE functionality can lead to SSRF-Like behaviour

Threat

DDOS:

This seems to be the obvious one that will get picked up by most botnet operators at some point.

DLP

Don’t expect this to be a likely threat, there are easier ways to bypass outgoing DLP restrictions than this.

SSRF Like

Needs more review but Scanning internal ports from Internet-facing UPnP devices could be useful, depending on what data is returned.

busterb (321)

June 09, 2020 11:22pm UTC (3 years ago)•

Ratings

Attacker Value

Very Low

Exploitability

Medium

Difficult to patch Easy to weaponize

Technical Analysis

A new uPnP protocol bug seems to pop up every year or two, looking back on it folks have known it was a bad idea to expose these to the Internet forever, and that uPnP is itself not a great idea from a security PoV. Will likely exist for a long time given the number of devices in existence, so expect it to be used mostly for DDOS operations like @kevthehermit suggests.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

7.5 High

Impact Score:

4.7

Exploitability Score:

2.2

Vector:

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:H

Attack Vector (AV):

Network

Attack Complexity (AC):

High

Privileges Required (PR):

None

User Interaction (UI):

None

Scope (S):

Changed

Confidentiality (C):

Low

Integrity (I):

None

Availability (A):

High

Vendors

asus,
broadcom,
canon,
canonical,
cisco,
debian,
dell,
dlink,
epson,
fedoraproject,
hp,
huawei,
microsoft,
nec,
netgear,
ruckussecurity,
tp-link,
ui,
w1.fi,
zte,
zyxel

Products

5020 z4a69a -,
5030 m2u92b -,
5030 z4a70a -,
5034 z4a74a -,
5660 f8b04a -,
adsl -,
amg1202-t10b -,
archer c50 -,
b1165nfw -,
debian linux 10.0,
debian linux 9.0,
deskjet ink advantage 3456 a9t84c -,
deskjet ink advantage 3545 a9t81a -,
deskjet ink advantage 3545 a9t81c -,
deskjet ink advantage 3545 a9t83b -,
deskjet ink advantage 3546 a9t82a -,
deskjet ink advantage 3548 a9t81b -,
deskjet ink advantage 4515 -,
deskjet ink advantage 4518 -,
deskjet ink advantage 4535 f0v64a -,
deskjet ink advantage 4535 f0v64b -,
deskjet ink advantage 4535 f0v64c -,
deskjet ink advantage 4536 f0v65a -,
deskjet ink advantage 4538 f0v66b -,
deskjet ink advantage 4675 f1h97a -,
deskjet ink advantage 4675 f1h97b -,
deskjet ink advantage 4675 f1h97c -,
deskjet ink advantage 4676 f1h98a -,
deskjet ink advantage 4678 f1h99b -,
deskjet ink advantage 5575 g0v48b -,
deskjet ink advantage 5575 g0v48c -,
dvg-n5412sp -,
envy 100 cn517a -,
envy 100 cn517b -,
envy 100 cn517c -,
envy 100 cn518a -,
envy 100 cn519a -,
envy 100 cn519b -,
envy 110 cq809a -,
envy 110 cq809b -,
envy 110 cq809c -,
envy 110 cq809d -,
envy 110 cq812c -,
envy 111 cq810a -,
envy 114 cq811a -,
envy 114 cq811b -,
envy 114 cq812a -,
envy 120 cz022a -,
envy 120 cz022b -,
envy 120 cz022c -,
envy 4500 a9t80a -,
envy 4500 a9t80b -,
envy 4500 a9t89a -,
envy 4500 d3p93a -,
envy 4501 c8d05a -,
envy 4502 a9t85a -,
envy 4502 a9t87b -,
envy 4503 e6g71b -,
envy 4504 a9t88b -,
envy 4504 c8d04a -,
envy 4505 a9t86a -,
envy 4507 e6g70b -,
envy 4508 e6g72b -,
envy 4509 d3p94a -,
envy 4509 d3p94b -,
envy 4511 k9h50a -,
envy 4512 k9h49a -,
envy 4513 k9h51a -,
envy 4516 k9h52a -,
envy 4520 e6g67a -,
envy 4520 e6g67b -,
envy 4520 f0v63a -,
envy 4520 f0v63b -,
envy 4520 f0v69a -,
envy 4521 k9t10b -,
envy 4522 f0v67a -,
envy 4523 j6u60b -,
envy 4524 f0v71b -,
envy 4524 f0v72b -,
envy 4524 k9t01a -,
envy 4525 k9t09b -,
envy 4526 k9t05b -,
envy 4527 j6u61b -,
envy 4528 k9t08b -,
envy 5000 m2u85a -,
envy 5000 m2u85b -,
envy 5000 m2u91a,
envy 5000 m2u91a -,
envy 5000 m2u94b -,
envy 5000 z4a54a -,
envy 5000 z4a74a -,
envy 5020 m2u91b -,
envy 5530 -,
envy 5531 -,
envy 5532 -,
envy 5534 -,
envy 5535 -,
envy 5536 -,
envy 5539 -,
envy 5540 f2e72a -,
envy 5540 g0v47a -,
envy 5540 g0v51a -,
envy 5540 g0v52a -,
envy 5540 g0v53a -,
envy 5540 k7c85a -,
envy 5541 k7g89a -,
envy 5542 k7c88a -,
envy 5543 n9u88a -,
envy 5544 k7c89a -,
envy 5544 k7c93a -,
envy 5545 g0v50a -,
envy 5546 k7c90a -,
envy 5547 j6u64a -,
envy 5548 k7g87a -,
envy 5640 b9s56a -,
envy 5640 b9s58a -,
envy 5642 b9s64a -,
envy 5643 b9s63a -,
envy 5644 b9s65a -,
envy 5646 f8b05a -,
envy 5664 f8b08a -,
envy 5665 f8b06a -,
envy 6020 5se16b -,
envy 6020 5se17a -,
envy 6020 6wd35a -,
envy 6020 7cz37a -,
envy 6052 5se18a -,
envy 6055 5se16a -,
envy 6540 b9s59a -,
envy 7640 -,
envy 7644 e4w46a -,
envy 7645 e4w44a -,
envy photo 6200 k7g18a -,
envy photo 6200 k7g26b -,
envy photo 6200 k7s21b -,
envy photo 6200 y0k13d -,
envy photo 6200 y0k15a -,
envy photo 6220 k7g20d -,
envy photo 6220 k7g21b -,
envy photo 6222 y0k13d -,
envy photo 6222 y0k14d -,
envy photo 6230 k7g25b -,
envy photo 6232 k7g26b -,
envy photo 6234 k7s21b -,
envy photo 6252 k7g22a -,
envy photo 7100 3xd89a -,
envy photo 7100 k7g93a -,
envy photo 7100 k7g99a -,
envy photo 7100 z3m37a -,
envy photo 7100 z3m52a -,
envy photo 7120 z3m41d -,
envy photo 7155 z3m52a -,
envy photo 7164 k7g99a -,
envy photo 7800 k7r96a -,
envy photo 7800 k7s00a -,
envy photo 7800 k7s10d -,
envy photo 7800 y0g42d -,
envy photo 7800 y0g52b -,
envy photo 7822 y0g42d -,
envy photo 7822 y0g43d -,
envy photo 7830 y0g50b -,
envy pro 6420 5se45b -,
envy pro 6420 5se46a -,
envy pro 6420 6wd14a -,
envy pro 6420 6wd16a -,
envy pro 6452 5se47a -,
envy pro 6455 5se45a -,
ep-101 -,
ew-m970a3t -,
fedora 31,
fedora 32,
hg255s -,
hg532e -,
hostapd,
m571t -,
officejet 4650 e6g87a -,
officejet 4650 f1h96a -,
officejet 4650 f1h96b -,
officejet 4652 f1j02a -,
officejet 4652 f1j05b -,
officejet 4652 k9v84b -,
officejet 4654 f1j06b -,
officejet 4654 f1j07b -,
officejet 4655 f1j00a -,
officejet 4655 k9v79a -,
officejet 4655 k9v82b -,
officejet 4656 k9v81b -,
officejet 4657 v6d29b -,
officejet 4658 v6d30b -,
rt-n11 -,
selphy cp1200 -,
ubuntu linux 20.04,
unifi controller -,
vmg8324-b10a -,
wap131 -,
wap150 -,
wap351 -,
windows 10 -,
wnhde111 -,
wr8165n -,
xbox one 10.0.19041.2494,
xp-100 -,
xp-2101 -,
xp-2105 -,
xp-241 -,
xp-320 -,
xp-330 -,
xp-340 -,
xp-4100 -,
xp-4105 -,
xp-440 -,
xp-620 -,
xp-630 -,
xp-702 -,
xp-8500 -,
xp-8600 -,
xp-960 -,
xp-970 -,
zonedirector 1200 -,
zxv10 w300 -

References

Rapid7

Low

CVE-2020-12695 "CallStranger"

Low

Moderate

None

None

Network

CVE-2020-12695 "CallStranger"

Description

Add Assessment

Ratings

Technical Analysis

Root Cause

Threat

DDOS:

DLP

SSRF Like

Ratings

Technical Analysis

CVSS V3 Severity and Metrics

General Information

Vendors

Products

References

Canonical

Advisory

Miscellaneous

Additional Info

Technical Analysis

Low

CVE-2020-12695 "CallStranger"

Low

Moderate

None

None

Network

CVE-2020-12695 "CallStranger"

Description

Add Assessment

Ratings

Technical Analysis

Root Cause

Threat

DDOS:

DLP

SSRF Like

Ratings

Technical Analysis

CVSS V3 Severity and Metrics

General Information

Vendors

Products

References

Canonical

Advisory

Miscellaneous

Additional Info

Technical Analysis

Quick Cookie Notification