Attacker Value
Low
(2 users assessed)
Exploitability
Moderate
(2 users assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
2

CVE-2020-12695 "CallStranger"

Disclosure Date: June 08, 2020
CVE-2020-12695 CVSS v3 Base Score: 7.5
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

The Open Connectivity Foundation UPnP specification before 2020-04-17 does not forbid the acceptance of a subscription request with a delivery URL on a different network segment than the fully qualified event-subscription URL, aka the CallStranger issue.

Add Assessment

4
Ratings
  • Attacker Value
    Low
  • Exploitability
    Medium
UnauthenticatedDifficult to weaponize
Technical Analysis

This one has a name and a website. – https://callstranger.com/

There is also a github repository that has PoC code, this code will scan your local IP range to determine if you have vulnerable devices. Be aware this POC will send data about your network out to a 3rd party. It claims to encrypt this data, but I have not reviewed the implementation.
It may not have a list of internal UPNP Devices, but it will have a record of your IP, how much data was sent.

https://github.com/yunuscadirci/CallStranger

Root Cause

A Callback header that can be controlled by the attacker in the UPnP SUBSCRIBE functionality can lead to SSRF-Like behaviour

Threat

DDOS:

This seems to be the obvious one that will get picked up by most botnet operators at some point.

DLP

Don’t expect this to be a likely threat, there are easier ways to bypass outgoing DLP restrictions than this.

SSRF Like

Needs more review but Scanning internal ports from Internet-facing UPnP devices could be useful, depending on what data is returned.

Log in to Add Reply
2
Ratings
  • Attacker Value
    Very Low
  • Exploitability
    Medium
Difficult to patchEasy to weaponize
Technical Analysis

A new uPnP protocol bug seems to pop up every year or two, looking back on it folks have known it was a bad idea to expose these to the Internet forever, and that uPnP is itself not a great idea from a security PoV. Will likely exist for a long time given the number of devices in existence, so expect it to be used mostly for DDOS operations like @kevthehermit suggests.

Log in to Add Reply
CVSS V3 Severity and Metrics
Base Score:
7.5 High
Impact Score:
4.7
Exploitability Score:
2.2
Vector:
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
High
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Changed
Confidentiality (C):
Low
Integrity (I):
None
Availability (A):
High

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
n/a
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

References

Canonical
CVE-2020-12695 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12695)
Advisory
[oss-security] 20200608 hostapd: UPnP SUBSCRIBE misbehavior in hostapd WPS AP (http://www.openwall.com/lists/oss-security/2020/06/08/2)
FEDORA-2020-df3e1cfde9 (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MZDWHKGN3LMGSUEOAAVAMOD3IUIPJVOJ)
FEDORA-2020-1f7fc0d0c9 (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RQEYVY4D7LASH6AI4WK3IK2QBFHHF3Q2)
FEDORA-2020-e538e3e526 (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L3SHL4LOFGHJ3DIXSUIQELGVBDJ7V7LB)
FEDORA-2020-df3e1cfde9 (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MZDWHKGN3LMGSUEOAAVAMOD3IUIPJVOJ/)
FEDORA-2020-1f7fc0d0c9 (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RQEYVY4D7LASH6AI4WK3IK2QBFHHF3Q2/)
FEDORA-2020-e538e3e526 (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L3SHL4LOFGHJ3DIXSUIQELGVBDJ7V7LB/)
[debian-lts-announce] 20200806 [SECURITY] [DLA 2315-1] gupnp security update (https://lists.debian.org/debian-lts-announce/2020/08/msg00011.html)
[debian-lts-announce] 20200808 [SECURITY] [DLA 2318-1] wpa security update (https://lists.debian.org/debian-lts-announce/2020/08/msg00013.html)
USN-4494-1 (https://usn.ubuntu.com/4494-1/)
DSA-4806 (https://www.debian.org/security/2020/dsa-4806)
[debian-lts-announce] 20201210 [SECURITY] [DLA 2489-1] minidlna security update (https://lists.debian.org/debian-lts-announce/2020/12/msg00017.html)
DSA-4898 (https://www.debian.org/security/2021/dsa-4898)
Miscellaneous
https://www.callstranger.com
https://www.kb.cert.org/vuls/id/339275
https://www.tenable.com/blog/cve-2020-12695-callstranger-vulnerability-in-universal-plug-and-play-upnp-puts-billions-of
https://github.com/yunuscadirci/CallStranger
http://packetstormsecurity.com/files/158051/CallStranger-UPnP-Vulnerability-Checker.html
https://corelight.blog/2020/06/10/detecting-the-new-callstranger-upnp-vulnerability-with-zeek
https://github.com/corelight/callstranger-detector
https://corelight.blog/2020/06/10/detecting-the-new-callstranger-upnp-vulnerability-with-zeek/

Additional Info

Authenticated
Unknown
Exploitable
Unknown
Reliability
Unknown
Stability
Unknown
Available Mitigations
Unknown
Shelf Life
Unknown
Userbase/Installbase
Unknown
Patch Effectiveness
Unknown
Technical Analysis