Search This Blog

Showing posts with label UPnP. Show all posts

UPnP Vulnerability Affects Billion of Devices Allowing DDoS Attacks, Data Exfiltration


A new security vulnerability affecting devices running UPnP protocol has been discovered by a researcher named Yunus Çadırcı; dubbed as CallStranger the security flaw could be exploited by remote unauthenticated attackers to perform a number of malicious acts such as data exfiltration and distributed denial-of-service popularly known as DDoS attacks.

UPnP protocol is designed to speed up the process of automatic discovery and to facilitate interaction with devices on a network, it doesn't have any kind of verification or authentication and therefore is supposed to be employed within trusted LANs. Most of the internet-connected devices contain support for UPnP, however, the Device Protection service responsible for adding security features has not been broadly accepted.

The security vulnerability that is being tracked as CVE-2020-12695, affects Windows PCs, TVs, Cisco, Belkin Broadcom, Dell, D-Link, Gaming Consoles, Samsung, routers from Asus, Huawei, ZTE, TP-Link and probably many more.

While giving insights into his discovery, Çadırcı told, “[The vulnerability] is caused by Callback header value in UPnP SUBSCRIBE function can be controlled by an attacker and enables an SSRF-like vulnerability which affects millions of Internet-facing and billions of LAN devices.”

“Home users are not expected to be targeted directly. If their internet-facing devices have UPnP endpoints, their devices may be used for DDoS source. Ask your ISP if your router has Internet-facing UPnP with CallStranger vulnerability — there are millions of consumer devices exposed to the Internet. Don't port forward to UPnP endpoints,” he further added.

“Because it also can be used for DDoS, we expect botnets will start implementing this new technique by consuming end-user devices. Because of the latest UPnP vulnerabilities, enterprises blocked Internet exposed UPnP devices so we don’t expect to see port scanning from the Internet to Intranet but Intranet2Intranet may be an issue.” The researcher concluded.

In order to stay safe, vendors are recommended to act upon the latest specifications put forth by the OCF, and users are advised to actively look out for vendor support channels for updates. Meanwhile, Device manufacturers are advised to disable the UPnP protocol on Internet-obtainable interfaces.

Casthack Exploits A Weakness In The Universal Plug And Play (Upnp) Networking Standard




Pair of ethical hackers known as CastHack have reportedly figured out how to hijack an apparent high number of Chromecast dongles cautioning their users about yet another security threat. This risk clearly attacks Google's Chromecast streaming devices driving users to play any YouTube video of the attacker’s choice.

The hackers, went on to display a message cautioning users about the security defect alongside a link clarifying how it can be fixed, at the same time requesting that users subscribe in to a prominent YouTuber PewDiePie.

CastHack exploits a shortcoming in the Universal Plug and Play (UPnP) networking standard in specific routers, which permits a part of the connected devices that are accessible on the web. The bug though, can be effectively fixed by disabling UPnP on the Internet router.

The company however says that it’s a 'flaw'  that influences the routers instead of the Chromecast itself, therefore it isn't Google's fault in the least.

Regardless, this new risk to Chromecast isn't the first as there have been many comparable issues before. To be specific in 2014 and 2016, when the security firm Bishop Fox had revealed that it could effectively gain control of a Chromecast by disengaging it from its present Wi-Fi system and returning it to a factory state and when another cyber security firm called Pen Test Partner affirmed that the gadget was as yet defenseless against such comparable attacks.

Attackers Utilize UPnP Features to Make DDoS Attacks Harder To Be Recognized




Security researchers are continuously observing DDoS attacks that utilize the UPnP features of home routers to modify network packets and make DDoS attacks harder to be recognizable and relieve with classic solutions.

Researchers from Imperva detailed the first UPnP port masking method, a new technique, a month ago.

Imperva staff announced that some DDoS botnets had begun utilizing the UPnP protocol found on home routers to skip the DDoS traffic off the router, but change the traffic's source port to an arbitrary number.

By changing the source port, more seasoned DDoS mitigation systems that depended on perusing this data to square approaching attacks started failing left and right, thus permitting the DDoS attacks to hit their intended targets.

The new DDoS mitigation systems that depend on deep packet inspection (DPI) are fit for identifying these sorts of attacks that utilize randomized source ports, however these are likewise more fiscally expensive for users and furthermore work slower, thus taking more time to distinguish and stop attacks.
\
Researchers at Imperva, Back in May, said that they've seen botnets executing DDoS attacks through the DNS and NTP protocols , but by utilizing UPnP to camouflage the traffic as originating from irregular ports, and not port 53 (DNS) or port 123 (NTP).

In those days, Bleeping Computer had foreseen that the strategy would turn out to be more prevalent among the botnet creators. This feeling turned out to be true yesterday when in a report by Arbor Networks, the organization wrote about observing comparative DDoS attacks that utilized the UPnP protocol, yet this time the procedure was utilized to mask the SSDP-based DDoS assaults.

SSDP DDoS attacks that would have been effectively moderated by blocking the approaching packets that came from port 1900 were harder to spot as the majority of the traffic originated from random ports rather than just one.

This UPnP-based port masking technique is obviously spreading among DDoS administrators, and DDoS mitigation providers will have to alter on the off chance that they need to stay in business, while organizations should put into overhauled securities in the event that they need to stay above water amidst these new types of deadly DDoS attacks.