The one UPnP stack that isn’t affected is MiniUPnP, which is used in a sizable chunk of home routers. It’s also been enabled on a lot of what might loosely be called Internet of Things (IoT) products, as well as major operating systems such as Windows 10, and even the Xbox games console.Ī list of known and suspected vulnerable devices is available on the CallStranger publicity website, but it would be wise not to assume this is definitive ( a script is available to poll the network for vulnerable devices).
Potentially large numbers of devices with UPnP enabled, which includes home routers, modems, smart TVs, printers, cameras, and media gateways.
#Sophos home free how many devices how to#
UPnP meant users didn’t have to know how to configure router ports – if the device and the home router supported UPnP (often turned on by default), connectivity happened automagically.īut UPnP also allowed more and more devices inside the network to connect to external entities on the internet with no authentication, which is where the trouble started.Įnter CallStranger ( CVE-2020-12695), technically a vulnerability in UPnP’s SUBSCRIBE function that makes possible what Çadırcı describes as a “Server Side Request Forgery (SSRF)-like vulnerability.”Īn attacker able to exploit this flaw could use it to co-opt vulnerable devices for DDoS attacks, bypass data loss prevention security to sneak data out of networks, and possibly carry out port scanning to probe for exposed UPnP devices. UPnP was invented back in the mists of time to graft the idea of plug-and-play onto the knotty world of home networking. Named CallStranger by discoverer Yunus Çadırcı, the potential for trouble with this flaw looks significant for a whole menu of reasons, starting with the gotcha that it’s UPnP.
Stop us if you’ve heard this before but a researcher has uncovered a new security vulnerability affecting many devices running the Universal Plug and Play (UPnP) protocol.