logo
DATABASE RESOURCES PRICING ABOUT US

CVE-2020-12695

Description

The Open Connectivity Foundation UPnP specification before 2020-04-17 does not forbid the acceptance of a subscription request with a delivery URL on a different network segment than the fully qualified event-subscription URL, aka the CallStranger issue. #### Mitigation To mitigate this flaw, close off the UPnP UDP port (usually 1900) and UPnP service ports from the Internet using a firewall. It's important to note that UPnP service ports vary based on the device, so device documentation should be consulted. Do not expose UPnP servers to the Internet. Exploitation of this flaw relies on HTTP SUBSCRIBE and NOTIFY requests, which can be blocked using a network security appliance, as another mitigation option.


Related