The flaw, dubbed CallStranger could allow attackers to take over IoT devices in DDoS attacks. The flaw could be exploited in other types of attacks, where security solutions are bypassed and internal networks are reached.
What is the The UPnP Protocol?
As explained by the Open Connectivity Foundation (OCF), this protocol is designed to provide automatic discovery and interaction with devices on a network. The protocol can be utilized in a trusted local area network (LAN), and it does not implement any form of authentication or verification.
More about the CallStranger Vulnerability (CVE-2020-12695)
According to the official advisory, “a vulnerability in the UPnP SUBSCRIBE capability permits an attacker to send large amounts of data to arbitrary destinations accessible over the Internet, which could lead to a Distributed Denial of Service (DDoS), data exfiltration, and other unexpected network behavior”.
Most internet-connected devices support the UPnP protocol, which means that a large number of devices is at risk. “Although offering UPnP services on the Internet is generally considered to be a misconfiguration, a number of devices are still available over the Internet according to a recent Shodan scan,” the security advisory points out.
The CVE-2020-12695 vulnerability in the UPnP SUBSCRIBE capability could allow an attacker to send large amounts of data to arbitrary destinations accessible over the Internet. This could then lead to DDoS attacks, data exfiltration, and other forms of unexpected network behavior.
Mitigations against CVE-2020-12695
Vendors should be quick to implement the updated specification provided by the OCF. Owners of IoT devices, on the other hand, should keep an eye on vendor support channels for updates that implement the new SUBSCRIBE specification.
Another security recommendation is to disable the UPnP protocol on Internet-accessible interfaces. Device manufacturers should disable the UPnP SUBSCRIBE capability in their default configuration. Users are advised to “explicitly enable SUBSCRIBE with any appropriate network restrictions to limit its usage to a trusted local area network“.