Low
CVE-2020-12695 "CallStranger"
Add Reference
Description
URL
Type
CVE-2020-12695 "CallStranger"
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Description
The Open Connectivity Foundation UPnP specification before 2020-04-17 does not forbid the acceptance of a subscription request with a delivery URL on a different network segment than the fully qualified event-subscription URL, aka the CallStranger issue.
Add Assessment
Ratings
-
Attacker ValueLow
-
ExploitabilityMedium
Technical Analysis
This one has a name and a website. – https://callstranger.com/
There is also a github repository that has PoC code, this code will scan your local IP range to determine if you have vulnerable devices. Be aware this POC will send data about your network out to a 3rd party. It claims to encrypt this data, but I have not reviewed the implementation.
It may not have a list of internal UPNP Devices, but it will have a record of your IP, how much data was sent.
https://github.com/yunuscadirci/CallStranger
Root Cause
A Callback header that can be controlled by the attacker in the UPnP SUBSCRIBE
functionality can lead to SSRF-Like behaviour
Threat
DDOS:
This seems to be the obvious one that will get picked up by most botnet operators at some point.
DLP
Don’t expect this to be a likely threat, there are easier ways to bypass outgoing DLP restrictions than this.
SSRF Like
Needs more review but Scanning internal ports from Internet-facing UPnP devices
could be useful, depending on what data is returned.
Ratings
-
Attacker ValueVery Low
-
ExploitabilityMedium
Technical Analysis
A new uPnP protocol bug seems to pop up every year or two, looking back on it folks have known it was a bad idea to expose these to the Internet forever, and that uPnP is itself not a great idea from a security PoV. Will likely exist for a long time given the number of devices in existence, so expect it to be used mostly for DDOS operations like @kevthehermit suggests.
CVSS V3 Severity and Metrics
General Information
References
Advisory
Miscellaneous
Additional Info
Technical Analysis
Report as Exploited in the Wild
What do we mean by "exploited in the wild"?
By selecting this, you are verifying to the AttackerKB community that either you, or a reputable source (example: a security vendor or researcher), has observed an active attempt by attackers, or IOCs related, to exploit this vulnerability outside of a research environment.
A vulnerability should also be considered "exploited in the wild" if there is a publicly available PoC or exploit (example: in an exploitation framework like Metasploit).