The CERT Coordination Center issued a new advisory for a UPnP configuration vulnerability CVE-2020-12695 that could allow an attacker to abuse devices and send traffic to arbitrary destinations. As a result, devices connected to the internet with UPnP enabled could expose additional vulnerabilities that could lead to amplified DDoS attacks and data loss.
Universal Plug and Play (UPnP) is a set of networking protocols that allow networked devices (such as WiFi devices, personal computers, printers and mobile devices) to discover each other over the network. UPnP-enabled devices can then more easily share data and perform communication functions.
Specified by the Open Connectivity Foundation (OCF), the UPnP protocol does not use any form of authentication or verification.
More specifically, the CERT Coordination Center (CERT/CC) described the UPnP vulnerability CVE-2020-12695 in a recent advisory:
“A remote, unauthenticated attacker may be able to abuse the UPnP SUBSCRIBE capability to send traffic to arbitrary destinations, leading to amplified DDoS attacks and data exfiltration.”
Security researchers also created a new CallStranger website that described the vulnerability in more detail.
Tenable also wrote in a blog post a detailed breakdown of vulnerable products by category, such as operating system, printers, IOT and applications. One of the notable products include Windows 10.
Readers may also remember back in 2018 when attackers were abusing Universal Plug and Play (UPnP) vulnerabilities to conceal traffic. As a result, the actors created a malicious proxy system dubbed “UPnProxy.”
At that time, UPnProxy was described as a serious risk given attackers could route traffic at will used in different types of attacks, such as DDoS, spam, phishing and click fraud.
Finally, CERT/CC recommends vendors to implement the OCF updated specification. In addition, organizations and users should continue to monitor for new vendor updates and implement necessary updates.