CVE-2020-12695 "CallStranger"

The Open Connectivity Foundation UPnP specification before 2020-04-17 does not forbid the acceptance of a subscription request with a delivery URL on a different network segment than the fully qualified event-subscription URL, aka the CallStranger issue.

Recent assessments:

kevthehermit at June 09, 2020 7:51am UTC reported:

This one has a name and a website. – <https://callstranger.com/&gt;

There is also a github repository that has PoC code, this code will scan your local IP range to determine if you have vulnerable devices. Be aware this POC will send data about your network out to a 3rd party. It claims to encrypt this data, but I have not reviewed the implementation.
It may not have a list of internal UPNP Devices, but it will have a record of your IP, how much data was sent.

<https://github.com/yunuscadirci/CallStranger&gt;

Root Cause

A Callback header that can be controlled by the attacker in the UPnP SUBSCRIBE functionality can lead to SSRF-Like behaviour

Threat

DDOS:

This seems to be the obvious one that will get picked up by most botnet operators at some point.

DLP

Don’t expect this to be a likely threat, there are easier ways to bypass outgoing DLP restrictions than this.

SSRF Like

Needs more review but Scanning internal ports from Internet-facing UPnP devices could be useful, depending on what data is returned.

busterb at June 09, 2020 11:22pm UTC reported:

This one has a name and a website. – <https://callstranger.com/&gt;

There is also a github repository that has PoC code, this code will scan your local IP range to determine if you have vulnerable devices. Be aware this POC will send data about your network out to a 3rd party. It claims to encrypt this data, but I have not reviewed the implementation.
It may not have a list of internal UPNP Devices, but it will have a record of your IP, how much data was sent.

<https://github.com/yunuscadirci/CallStranger&gt;

Root Cause

A Callback header that can be controlled by the attacker in the UPnP SUBSCRIBE functionality can lead to SSRF-Like behaviour

Threat

DDOS:

This seems to be the obvious one that will get picked up by most botnet operators at some point.

DLP

Don’t expect this to be a likely threat, there are easier ways to bypass outgoing DLP restrictions than this.

SSRF Like

Needs more review but Scanning internal ports from Internet-facing UPnP devices could be useful, depending on what data is returned.

Assessed Attacker Value: 2
Assessed Attacker Value: 2Assessed Attacker Value: 3