CVE-2020-12695: 
NixOS vulnerability analysis and mitigation

The Open Connectivity Foundation UPnP specification before 2020-04-17 contains a vulnerability (CVE-2020-12695), also known as CallStranger, where it does not forbid the acceptance of a subscription request with a delivery URL on a different network segment than the fully qualified event-subscription URL. This vulnerability was discovered by Yunus Çadirci from EY Turkey and was publicly disclosed on June 8, 2020 (CERT VU, Tenable Blog).

The vulnerability exists in the UPnP SUBSCRIBE capability, which allows devices to monitor changes in other devices and services. The flaw allows an attacker to control the Callback header value in the UPnP SUBSCRIBE function, enabling server-side request forgery (SSRF)-like behavior. The vulnerability affects billions of devices that utilize UPnP, including personal computers, networking equipment, video game consoles and IoT devices (Tenable Blog). The CVSS score for this vulnerability is 7.5 (High) (NVD).

An attacker can exploit this vulnerability in three main ways: 1) Bypass Data Loss Prevention (DLP) systems to exfiltrate data, 2) Use Internet-facing UPnP devices as sources for amplified reflected TCP DDoS attacks, and 3) Scan internal ports from Internet-facing UPnP devices (CERT VU, Tenable Blog).

The OCF has updated the UPnP specification to address this issue. Recommended mitigations include: 1) Disable unnecessary UPnP services, especially for Internet-facing devices/interfaces, 2) Monitor vendor support channels for updates that implement the new SUBSCRIBE specification, 3) Check network security logs for potential exploitation, and 4) Contact ISP/DDoS protection vendors to ensure their solutions can block traffic generated by UPnP SUBSCRIBE (CERT VU).