UPnP vulnerability makes it possible to bypass protection and analyze local networks

UPnP vulnerability makes it possible to bypass protection and analyze local networks Cybersecurity

A serious vulnerability resides in a basic protocol present in almost all connected objects.

The vulnerability, called CallStranger, allows attackers to hijack connected objects to carry out distributed denial of service (DDoS) attacks, but also for attacks that bypass security solutions in order to reach and perform analyzes on the internal network. of a victim. The bug can therefore grant attackers access to areas where they would not normally be able to reach.

CallStranger bug impacts UPnP

According to a website dedicated to the CallStranger vulnerability, which went online this weekend, the bug affects UPnP, which stands for Universal Plug and Play, a collection of protocols delivered on most connected objects.

As its name suggests, UPnP allows devices to see each other on local networks, then establish connections to easily exchange data, configurations and even work in synchronization.

UPnP has existed since the early 2000s, but since 2016, its development has been managed by the Open Connectivity Foundation (OCF), which controls the development of the UPnP protocols, with the aim of standardizing the operation of these functionalities on all devices.

CallStranger – technical details

In December 2019, a security engineer named Yunus Çadirci discovered a bug in this widely used technology.

Çadirci explains that an attacker can send TCP packets to a remote device that contains a malformed callback header value in the SUBSCRIBE function of UPnP.

This header can be misused to take advantage of any smart device that has been left connected to the Internet and that supports UPnP protocols – such as security cameras, DVRs, printers, routers and more.

In a CallStranger attack, the attacker targets the device’s internet interface, but runs the code on the UPnP function, which usually runs on internal ports only (inside the LAN).

Çadirci says that attackers could use the CallStranger bug to successfully bypass network security solutions, bypass firewalls, and then scan an organization’s internal networks.

In addition, other types of attacks are also possible, said Çadirci.

This includes DDoS attacks where an attacker could bounce back and amplify TCP traffic on UPnP compatible devices accessible on the Internet. This also includes data exfiltration where the attacker steals data from the UPnP compatible device exposed on the Internet.

Patching is not easy

Çadirci said he informed the OCF last year of the vulnerability. The organization has updated UPnP protocols since the publication of its report. These UPnP protocol updates were released online on April 17, 2020.

“Because it is a protocol vulnerability, vendors may take time to provide fixes,” Çadirci said today, suggesting that firmware fixes may take some time to arrive.

Instead, the researcher released a website this weekend containing basic tips that companies can deploy to block any exploitation attempts.

In addition, Çadirci has also released proof-of-concept scripts that companies can use to determine if their equipment is vulnerable to one of the CallStranger attacks.

The CallStranger security vulnerability is also identified as CVE-2020-12695.

There are currently around 5.45 million UPnP-enabled devices connected to the Internet, making it an ideal attack surface for IoT botnets and APTs.

Source: ZDNet.com

Source: www.zdnet.fr

Rate article