CallStranger Data Exfiltration via UPnP SUBSCRIBE Callback

[Paliv]

Stop us if you’ve heard this before but a researcher has uncovered a new security vulnerability affecting many devices running the Universal Plug and Play (UPnP) protocol.

Named CallStranger by discoverer Yunus Çadırcı, the potential for trouble with this flaw looks significant for a whole menu of reasons, starting with the gotcha that it’s UPnP.

UPnP was invented back in the mists of time to graft the idea of plug-and-play onto the knotty world of home networking.

UPnP meant users didn’t have to know how to configure router ports – if the device and the home router supported UPnP (often turned on by default), connectivity happened automagically.

https://nakedsecurity.sophos.com/2020/06/10/billions-of-devices-affected-by-upnp-vulnerability/

 

[Paliv]

Sorry I broke the link when I first posted this, it has been corrected.

 

[ColinTaylor]

Before people ask...

The one UPnP stack that isn’t affected is MiniUPnP, which is used in a sizable chunk of home routers.

 

[Paliv]

What I’m unclear on is if the clients are vulnerable if the router is running miniUPnP. I clearly don’t have a good enough understanding of this.

 

[Selectaa]

This new UPnP vulnerability recently discovered, called CallStranger (https://callstranger.com/), is this an issue if we have enabled the "Secure UPnP Mode" on the latest Merlin FW?

 

[bbunge]

Recommendation from security experts is still to disable UPNP. It is a matter of security over convenience.

 

[Wallace_n_Gromit]

https://www.snbforums.com/threads/c...ia-upnp-subscribe-callback.64635/#post-592610

The router uses MiniUPnP.

Steve Gibson in his "Security Now" podcast talked about this issue and agreed that MiniUPnP after 2011 would not be vulnerable to this issue.

 

[Wallace_n_Gromit]

What I’m unclear on is if the clients are vulnerable if the router is running miniUPnP. I clearly don’t have a good enough understanding of this.

Steve Gibson talked about this issue in his podcast "Security Now" episode #770
He actually gave a historical perspective on the beginnings of these UPnP vulnerabilit(ies). (Intel never intended a "Sample" code to be baked into OEM chipsets)

To view this content we will need your consent to set third party cookies.
For more detailed information, see our cookies page.

Accept third party cookies

at 40:15 into the episode