Attacker Value

Low

CVE-2020-12695 “CallStranger”

Disclosure Date: June 08, 2020 •

CVE-2020-12695

Exploitability

(2 users assessed) Moderate

Attack Vector

Network

Privileges Required

None

User Interaction

None

Description

The Open Connectivity Foundation UPnP specification before 2020-04-17 does not forbid the acceptance of a subscription request with a delivery URL on a different network segment than the fully qualified event-subscription URL, aka the CallStranger issue.

Add Assessment

kevthehermit (95)

June 09, 2020 7:51am UTC (3 weeks ago)•

Ratings

Attacker Value

Low

Exploitability

Medium

Unauthenticated Difficult to weaponize

Technical Analysis

This one has a name and a website. – https://callstranger.com/

There is also a github repository that has PoC code, this code will scan your local IP range to determine if you have vulnerable devices. Be aware this POC will send data about your network out to a 3rd party. It claims to encrypt this data, but I have not reviewed the implementation.
It may not have a list of internal UPNP Devices, but it will have a record of your IP, how much data was sent.

https://github.com/yunuscadirci/CallStranger

Root Cause

A Callback header that can be controlled by the attacker in the UPnP SUBSCRIBE functionality can lead to SSRF-Like behaviour

Threat

DDOS:

This seems to be the obvious one that will get picked up by most botnet operators at some point.

DLP

Don’t expect this to be a likely threat, there are easier ways to bypass outgoing DLP restrictions than this.

SSRF Like

Needs more review but Scanning internal ports from Internet-facing UPnP devices could be useful, depending on what data is returned.

busterb (264)

June 09, 2020 11:22pm UTC (3 weeks ago)•

Ratings

Attacker Value

Very Low

Exploitability

Medium

Difficult to patch Easy to weaponize

Technical Analysis

A new uPnP protocol bug seems to pop up every year or two, looking back on it folks have known it was a bad idea to expose these to the Internet forever, and that uPnP is itself not a great idea from a security PoV. Will likely exist for a long time given the number of devices in existence, so expect it to be used mostly for DDOS operations like @kevthehermit suggests.

References

https://nvd.nist.gov/vuln/detail/CVE-2020-12695
https://www.callstranger.com
https://www.kb.cert.org/vuls/id/339275
http://www.openwall.com/lists/oss-security/2020/06/08/2
https://www.tenable.com/blog/cve-2020-12695-callstranger-vulnerability-in-universal-plug-and-play-upnp-puts-billions-of
https://github.com/yunuscadirci/CallStranger
http://packetstormsecurity.com/files/158051/CallStranger-UPnP-Vulnerability-Checker.html
https://corelight.blog/2020/06/10/detecting-the-new-callstranger-upnp-vulnerability-with-zeek/
https://github.com/corelight/callstranger-detector
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MZDWHKGN3LMGSUEOAAVAMOD3IUIPJVOJ/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RQEYVY4D7LASH6AI4WK3IK2QBFHHF3Q2/

Rapid7

Low