CallStranger – CVE-2020-12695 (Reflected Amplified TCP DDOS via UPnP SUBSCRIBE Callback) – 29th July 2020

Preface: In the cyber world, many defense mechanisms can accomplish tasks well. However, the daily operations involves different business expectations and change management. As a result it create a lot of opportunity to the cyber criminals.

Security focus today: With reference of US CERT announcement on 8th July 2020. US Cert urge the information technology and Operational technology zones that the design weakness of UPnP may have impact to users environment. Down to the details. The Universal Plug and Play (UPnP) protocol in effect prior to April 17, 2020 can be abused to send traffic to arbitrary destinations using the SUBSCRIBE functionality. So the impact of this design weakness shall be wide. For instance, cyber criminals can transform this design weakness as a cyber weapon to conducting the data exfiltration. Besides, it can exploit this feature bypass Proxy server and firewall.
The data stealer will make use of a compromised device as proxy, then establish a secure tunnel (SSL) to external server. Since there is no blacklist database install in this printer. So, it will led the traffic send to external without difficulties. Apart from that , SSL traffic bypass firewall content filtering. So, the data can be exfiltrated. For the details of this matters, please refer to attached diagram for reference.

Reference: Vulnerability Note VU#339275 –

Highlights: An attacker can use this vulnerability for:

  • Bypassing DLP for exfiltrating data
  • Using millions of Internet-facing UPnP device as source of amplified reflected TCP DDoS / SYN Flood
  • Scanning internal ports from Internet facing UPnP devices

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.