Earlier this month an independent security researcher responsibly disclosed the CallStranger UPnP (defined) vulnerability.
Why is the CallStranger vulnerability and why is it important?
This vulnerability primarily impacts internet service providers, device vendors and enterprises. If an attacker were to exploit the vulnerability it could be used to:
- Send network traffic to destinations of the threat actor’s choice
- Create amplified DDoS (defined) attacks
- To carry out data exfiltration (by bypassing data loss prevention security measures) making this type of activity harder to detect.
- Carry out port scanning of exposed UPnP devices on the same network looking for further meaning of exploitation
There are billions of potentially vulnerable devices in use across the world. Such devices include home routers, broadband modems, smart TVs, printers, cameras, media gateways, Windows based devices and game consoles. A list of known vulnerable devices is available on the website dedicated to this vulnerability but it cannot be a complete list due to the large number of device vendors and device models impacted.
How can a threat actor exploit this vulnerability?
The threat actor would need to send a specially crafted HTTP SUBSCRIBE request to a vulnerable device. If a vulnerable UPnP is exposed to the public internet, it can be located by the threat actor for example using the Shodan tool (defined). This server side request forgery (SSRF)(defined) is not trivial to exploit.
What can an organisation or an individual do to be protected against this vulnerability?
As stated above, this vulnerability primarily impacts internet service providers, device vendors and enterprises. Please see the section titled “AM I VULNERABLE & WHAT TO DO?” of the website dedicated to this vulnerable for the necessary steps you should take.
Enterprises, businesses and ISPs can find an appropriate IDS signature for detecting the exploitation of this vulnerability from this CERT page.
Consumers/home users can also find the appropriate steps in that named section of the dedicated website.