CVE-2020-12695
published 2020-06-08CVE-2020-12695: The Open Connectivity Foundation UPnP specification before 2020-04-17 does not forbid the acceptance of a subscription request with a delivery URL on a…
PriorityP348high7.5CVSS 3.1
AVNACHPRNUINSCCLINAH
EPSS
15.19%
96.3th percentile
The Open Connectivity Foundation UPnP specification before 2020-04-17 does not forbid the acceptance of a subscription request with a delivery URL on a different network segment than the fully qualified event-subscription URL, aka the CallStranger issue.
Affected
16 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | gupnp | < gupnp 1.2.3-1 (bookworm) | gupnp 1.2.3-1 (bookworm) |
| debian | minidlna | < gupnp 1.2.3-1 (bookworm) | gupnp 1.2.3-1 (bookworm) |
| debian | pupnp | < gupnp 1.2.3-1 (bookworm) | gupnp 1.2.3-1 (bookworm) |
| debian | pupnp-1.8 | < gupnp 1.2.3-1 (bookworm) | gupnp 1.2.3-1 (bookworm) |
| debian | wpa | < gupnp 1.2.3-1 (bookworm) | gupnp 1.2.3-1 (bookworm) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| gupnp | gupnp | >= 0 < 1.2.3-1 | 1.2.3-1 |
| gupnp | gupnp | >= 0 < 1.2.3-1 | 1.2.3-1 |
| gupnp | gupnp | >= 0 < 1.2.3-1 | 1.2.3-1 |
| gupnp | gupnp | >= 0 < 1.2.3-1 | 1.2.3-1 |
| microsoft | xbox_one | — | — |
| w1.fi | hostapd | < 2.0.0 | 2.0.0 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:H
nvdv2.07.8HIGHAV:N/AC:M/Au:N/C:P/I:N/A:C
osv7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
vendor_ubuntu7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
wpa_supplicant and hostapd vulnerabilities
vendor_ubuntu·2021-02-16·CVSS 7.5
CVE-2021-0326 [HIGH] wpa_supplicant and hostapd vulnerabilities
Title: wpa_supplicant and hostapd vulnerabilities
Summary: Several security issues were fixed in wpa_supplicant and hostapd.
USN-4734-1 fixed several vulnerabilities in wpa_supplicant. This
update provides the corresponding update for Ubuntu 14.04 ESM.
It was discovered that wpa_supplicant did not properly handle P2P
(Wi-Fi Direct) group information in some situations, leading to a
heap overflow. A physically proximate attacker could use this to cause a
denial of service or possibly execute arbitrary code. (CVE-2021-0326)
It was discovered that hostapd did not properly handle UPnP subscribe
messages in some circumstances. An attacker could use this to cause a
denial of service. (CVE-2020-12695)
Instructions: After a standard system update you need to reboot your computer to make
all t
Ubuntu
wpa_supplicant and hostapd vulnerabilities
vendor_ubuntu·2021-02-11·CVSS 7.5
CVE-2021-0326 [HIGH] wpa_supplicant and hostapd vulnerabilities
Title: wpa_supplicant and hostapd vulnerabilities
Summary: Several security issues were fixed in wpa_supplicant and hostapd.
It was discovered that wpa_supplicant did not properly handle P2P
(Wi-Fi Direct) group information in some situations, leading to a
heap overflow. A physically proximate attacker could use this to cause a
denial of service or possibly execute arbitrary code. (CVE-2021-0326)
It was discovered that hostapd did not properly handle UPnP subscribe
messages in some circumstances. An attacker could use this to cause a
denial of service. (CVE-2020-12695)
Instructions: After a standard system update you need to reboot your computer to make
all the necessary changes.
Ubuntu
ReadyMedia (MiniDLNA) vulnerabilities
vendor_ubuntu·2021-02-04·CVSS 7.5
CVE-2020-12695 [HIGH] ReadyMedia (MiniDLNA) vulnerabilities
Title: ReadyMedia (MiniDLNA) vulnerabilities
Summary: ReadyMedia (MiniDLNA) could be made to crash if it received specially crafted
input.
It was discovered that ReadyMedia (MiniDLNA) allowed subscription requests with
a delivery URL on a different network segment than the fully qualified event-
subscription URL. An attacker could use this to hijack smart devices and cause
denial of service attacks. (CVE-2020-12695)
It was discovered that ReadyMedia (MiniDLNA) allowed remote code execution.
A remote attacker could send a malicious UPnP HTTP request to the service
using HTTP chunked encoding and cause a denial of service.
(CVE-2020-28926)
Instructions: In general, a standard system update will make all the necessary changes.
Ubuntu
GUPnP vulnerability
vendor_ubuntu·2020-09-15
CVE-2020-12695 GUPnP vulnerability
Title: GUPnP vulnerability
Summary: gupnp could be made to expose sensitive information or perform network
attacks if it received specially crafted network traffic.
It was discovered that GUPnP incorrectly handled certain subscription
requests. A remote attacker could possibly use this issue to exfiltrate
data or use GUPnP to perform DDoS attacks.
Instructions: After a standard system update you need to reboot your computer to make
all the necessary changes.
Red Hat
hostapd: UPnP SUBSCRIBE misbehavior in WPS AP
vendor_redhat·2020-06-08·CVSS 7.5
CVE-2020-12695 [HIGH] CWE-918 hostapd: UPnP SUBSCRIBE misbehavior in WPS AP
hostapd: UPnP SUBSCRIBE misbehavior in WPS AP
The Open Connectivity Foundation UPnP specification before 2020-04-17 does not forbid the acceptance of a subscription request with a delivery URL on a different network segment than the fully qualified event-subscription URL, aka the CallStranger issue.
Statement: This flaw does not affect the wpa_supplicant package as shipped with Red Hat Enterprise Linux 5, 6, 7, and 8. wpa_supplicant's WiFi Protected Setup (WPS) External Registrar functionality, which uses UPnP to act as a registrar for a WiFi access point, and hostapd's WPS UPnP functionality, are disabled in the build configuration. Additionally, wpa_supplicant's P2P functionality does not support UPnP as shipped in Red Hat Enterprise Linux 5, 6, 7 and 8.
Mitigation: To mitigate this f
Debian
CVE-2020-12695: gupnp - The Open Connectivity Foundation UPnP specification before 2020-04-17 does not f...
vendor_debian·2020·CVSS 7.5
CVE-2020-12695 [HIGH] CVE-2020-12695: gupnp - The Open Connectivity Foundation UPnP specification before 2020-04-17 does not f...
The Open Connectivity Foundation UPnP specification before 2020-04-17 does not forbid the acceptance of a subscription request with a delivery URL on a different network segment than the fully qualified event-subscription URL, aka the CallStranger issue.
Scope: local
bookworm: resolved (fixed in 1.2.3-1)
bullseye: resolved (fixed in 1.2.3-1)
forky: resolved (fixed in 1.2.3-1)
sid: resolved (fixed in 1.2.3-1)
trixie: resolved (fixed in 1.2.3-1)
GHSA
GHSA-wp9w-2vp9-wg66: The Open Connectivity Foundation UPnP specification before 2020-04-17 does not forbid the acceptance of a subscription request with a delivery URL on
ghsa_unreviewed·2022-05-24
CVE-2020-12695 [HIGH] CWE-276 GHSA-wp9w-2vp9-wg66: The Open Connectivity Foundation UPnP specification before 2020-04-17 does not forbid the acceptance of a subscription request with a delivery URL on
The Open Connectivity Foundation UPnP specification before 2020-04-17 does not forbid the acceptance of a subscription request with a delivery URL on a different network segment than the fully qualified event-subscription URL, aka the CallStranger issue.
OSV
wpa vulnerabilities
osv·2021-02-16·CVSS 7.5
CVE-2021-0326 [HIGH] wpa vulnerabilities
wpa vulnerabilities
USN-4734-1 fixed several vulnerabilities in wpa_supplicant. This
update provides the corresponding update for Ubuntu 14.04 ESM.
It was discovered that wpa_supplicant did not properly handle P2P
(Wi-Fi Direct) group information in some situations, leading to a
heap overflow. A physically proximate attacker could use this to cause a
denial of service or possibly execute arbitrary code. (CVE-2021-0326)
It was discovered that hostapd did not properly handle UPnP subscribe
messages in some circumstances. An attacker could use this to cause a
denial of service. (CVE-2020-12695)
OSV
wpa vulnerabilities
osv·2021-02-11·CVSS 7.5
CVE-2021-0326 [HIGH] wpa vulnerabilities
wpa vulnerabilities
It was discovered that wpa_supplicant did not properly handle P2P
(Wi-Fi Direct) group information in some situations, leading to a
heap overflow. A physically proximate attacker could use this to cause a
denial of service or possibly execute arbitrary code. (CVE-2021-0326)
It was discovered that hostapd did not properly handle UPnP subscribe
messages in some circumstances. An attacker could use this to cause a
denial of service. (CVE-2020-12695)
OSV
minidlna vulnerabilities
osv·2021-02-04·CVSS 7.5
CVE-2020-12695 [HIGH] minidlna vulnerabilities
minidlna vulnerabilities
It was discovered that ReadyMedia (MiniDLNA) allowed subscription requests with
a delivery URL on a different network segment than the fully qualified event-
subscription URL. An attacker could use this to hijack smart devices and cause
denial of service attacks. (CVE-2020-12695)
It was discovered that ReadyMedia (MiniDLNA) allowed remote code execution.
A remote attacker could send a malicious UPnP HTTP request to the service
using HTTP chunked encoding and cause a denial of service.
(CVE-2020-28926)
OSV
CVE-2020-12695: The Open Connectivity Foundation UPnP specification before 2020-04-17 does not forbid the acceptance of a subscription request with a delivery URL on
osv·2020-06-08·CVSS 7.5
CVE-2020-12695 [HIGH] CVE-2020-12695: The Open Connectivity Foundation UPnP specification before 2020-04-17 does not forbid the acceptance of a subscription request with a delivery URL on
The Open Connectivity Foundation UPnP specification before 2020-04-17 does not forbid the acceptance of a subscription request with a delivery URL on a different network segment than the fully qualified event-subscription URL, aka the CallStranger issue.
Suricata
ET DOS CallStranger - Attempted UPnP Reflected Amplified TCP with Multiple Callbacks (CVE-2020-12695)
suricata·2020-06-15·CVSS 7.5
CVE-2020-12695 [HIGH] ET DOS CallStranger - Attempted UPnP Reflected Amplified TCP with Multiple Callbacks (CVE-2020-12695)
ET DOS CallStranger - Attempted UPnP Reflected Amplified TCP with Multiple Callbacks (CVE-2020-12695)
Rule: alert http $EXTERNAL_NET any -> any any (msg:"ET DOS CallStranger - Attempted UPnP Reflected Amplified TCP with Multiple Callbacks (CVE-2020-12695)"; flow:established,to_server; http.method; content:"SUBSCRIBE"; http.request_header; header_lowercase; content:"callback|3a 20|"; fast_pattern; startswith; content:"<http"; distance:0; reference:url,github.com/yunuscadirci/CallStranger; reference:cve,2020-12695; classtype:attempted-dos; sid:2030339; rev:3; metadata:affected_product UPnP, attack_target IoT, created_at 2020_06_15, cve CVE_2020_12695, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, upd
Suricata
ET SCAN UPnP SUBSCRIBE Inbound - Possible CallStranger Scan (CVE-2020-12695)
suricata·2020-06-09·CVSS 7.5
CVE-2020-12695 [HIGH] ET SCAN UPnP SUBSCRIBE Inbound - Possible CallStranger Scan (CVE-2020-12695)
ET SCAN UPnP SUBSCRIBE Inbound - Possible CallStranger Scan (CVE-2020-12695)
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN UPnP SUBSCRIBE Inbound - Possible CallStranger Scan (CVE-2020-12695)"; flow:established,to_server; http.method; content:"SUBSCRIBE"; nocase; http.header_names; to_lowercase; content:"|0d 0a|callback|0d 0a|"; fast_pattern; content:"|0d 0a|nt|0d 0a|"; reference:cve,2020-12695; reference:url,kb.cert.org/vuls/id/339275; classtype:attempted-recon; sid:2030272; rev:3; metadata:attack_target Client_Endpoint, created_at 2020_06_09, cve CVE_2020_12695, deployment Perimeter, confidence Medium, signature_severity Informational, updated_at 2024_04_20;)
No public exploits indexed.
Sentinelone
Hiding in Plain Sight | The IoT Security Headache and How to Fix It
blogs_sentinelone·2020-10-14·CVSS 7.5
[HIGH] Hiding in Plain Sight | The IoT Security Headache and How to Fix It
Within five years, some suggest there will be over 30 billion IoT devices worldwide, and these “things” will generate 79.4 zettabytes of data. The explosion of connected devices in the home, enterprise and industrial environments increase the attack surfaces of these entities many times over. Moreover, many of these devices are insecure by nature, and others, although possessing reasonable security mechanisms, are left exposed due to poor cyber hygiene and lack of IoT security know-how. In this post, we look at some of the dangers posed by IoT devices and how they can be addressed.
## Enhanced DDoS Attacks with CallStranger
The quest to make connected devices cheap and easy to install and operate has resulted in the creation of less-than adequate security mechanisms – such is the case wi
Sentinelone
Hiding in Plain Sight | The IoT Security Headache and How to Fix It
blogs_sentinelone·2020-10-14·CVSS 7.5
[HIGH] Hiding in Plain Sight | The IoT Security Headache and How to Fix It
Within five years, some suggest there will be over 30 billion IoT devices worldwide, and these “things” will generate 79.4 zettabytes of data. The explosion of connected devices in the home, enterprise and industrial environments increase the attack surfaces of these entities many times over. Moreover, many of these devices are insecure by nature, and others, although possessing reasonable security mechanisms, are left exposed due to poor cyber hygiene and lack of IoT security know-how. In this post, we look at some of the dangers posed by IoT devices and how they can be addressed.
## Enhanced DDoS Attacks with CallStranger
The quest to make connected devices cheap and easy to install and operate has resulted in the creation of less-than adequate security mechanisms – such is the case wi
Sentinelone
DDoS Threats Are Back: What You Need To Know
blogs_sentinelone·2020-07-14
DDoS Threats Are Back: What You Need To Know
Starting on the afternoon of June 15, a wide outage appeared to be affecting ISPs, social media platforms and mobile carriers. A Twitter account associated with Anonymous announced that the US was currently under “a major DDoS attack.” It included a map showing the US being bombarded by internet traffic from all over the globe.
> The U.S. is currently under a major DDoS attack. https://t.co/7pmLpWUzUp pic.twitter.com/W5giIA2Inc
>
>
>
>
> — Anonymous (@YourAnonCentral) June 15, 2020
The internet was soon abuzz with speculations about “the world’s largest ever DDoS attack”. But was it?
Matthew Prince, CEO at DDoS protection company Cloudflare, answered with his own tweet, stating that the outage wasn’t the result of a massive-scale DDoS attack. It was, rather, “far more boring,” Prince sa
Sentinelone
DDoS Threats Are Back: What You Need To Know
blogs_sentinelone·2020-07-14
DDoS Threats Are Back: What You Need To Know
Starting on the afternoon of June 15, a wide outage appeared to be affecting ISPs, social media platforms and mobile carriers. A Twitter account associated with Anonymous announced that the US was currently under “a major DDoS attack.” It included a map showing the US being bombarded by internet traffic from all over the globe.
The U.S. is currently under a major DDoS attack. https://t.co/7pmLpWUzUp pic.twitter.com/W5giIA2Inc
— Anonymous (@YourAnonCentral) June 15, 2020
The internet was soon abuzz with speculations about “the world’s largest ever DDoS attack”. But was it?
Matthew Prince, CEO at DDoS protection company Cloudflare, answered with his own tweet, stating that the outage wasn’t the result of a massive-scale DDoS attack. It was, rather, “far more boring,” Prince said, resulti
Tenable
CVE-2020-12695: CallStranger Vulnerability in Universal Plug and Play (UPnP) Puts Billions of Devices At Risk
blogs_tenable·2020-06-08·CVSS 7.5
[HIGH] CVE-2020-12695: CallStranger Vulnerability in Universal Plug and Play (UPnP) Puts Billions of Devices At Risk
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Bugzilla
CVE-2020-12695 hostapd: UPnP SUBSCRIBE misbehavior in WPS AP [fedora-all]
bugzilla·2020-06-10·CVSS 7.5
CVE-2020-12695 [HIGH] CVE-2020-12695 hostapd: UPnP SUBSCRIBE misbehavior in WPS AP [fedora-all]
CVE-2020-12695 hostapd: UPnP SUBSCRIBE misbehavior in WPS AP [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of
Bugzilla
CVE-2020-12695 hostapd: UPnP SUBSCRIBE misbehavior in WPS AP
bugzilla·2020-06-10·CVSS 7.5
CVE-2020-12695 [HIGH] CVE-2020-12695 hostapd: UPnP SUBSCRIBE misbehavior in WPS AP
CVE-2020-12695 hostapd: UPnP SUBSCRIBE misbehavior in WPS AP
The Open Connectivity Foundation UPnP specification before 2020-04-17 does not forbid the acceptance of a subscription request with a delivery URL on a different network segment than the fully qualified event-subscription URL, aka the CallStranger issue.
References:
http://www.openwall.com/lists/oss-security/2020/06/08/2
https://www.kb.cert.org/vuls/id/339275
https://github.com/yunuscadirci/CallStranger
https://www.callstranger.com
Discussion:
Created hostapd tracking bugs for this issue:
Affects: epel-all [bug 1846008]
Affects: fedora-all [bug 1846007]
---
General Flaw summary:
Devices host UPnP servers in order to supply information to UPnP clients and allow them to send commands to the UPnP server. For example, a device
Bugzilla
CVE-2020-12695 hostapd: UPnP SUBSCRIBE misbehavior in WPS AP [epel-all]
bugzilla·2020-06-10·CVSS 7.5
CVE-2020-12695 [HIGH] CVE-2020-12695 hostapd: UPnP SUBSCRIBE misbehavior in WPS AP [epel-all]
CVE-2020-12695 hostapd: UPnP SUBSCRIBE misbehavior in WPS AP [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedo
http://packetstormsecurity.com/files/158051/CallStranger-UPnP-Vulnerability-Checker.htmlhttp://www.openwall.com/lists/oss-security/2020/06/08/2https://corelight.blog/2020/06/10/detecting-the-new-callstranger-upnp-vulnerability-with-zeek/https://github.com/corelight/callstranger-detectorhttps://github.com/yunuscadirci/CallStrangerhttps://lists.debian.org/debian-lts-announce/2020/08/msg00011.htmlhttps://lists.debian.org/debian-lts-announce/2020/08/msg00013.htmlhttps://lists.debian.org/debian-lts-announce/2020/12/msg00017.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L3SHL4LOFGHJ3DIXSUIQELGVBDJ7V7LB/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MZDWHKGN3LMGSUEOAAVAMOD3IUIPJVOJ/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RQEYVY4D7LASH6AI4WK3IK2QBFHHF3Q2/https://usn.ubuntu.com/4494-1/https://www.callstranger.comhttps://www.debian.org/security/2020/dsa-4806https://www.debian.org/security/2021/dsa-4898https://www.kb.cert.org/vuls/id/339275https://www.tenable.com/blog/cve-2020-12695-callstranger-vulnerability-in-universal-plug-and-play-upnp-puts-billions-ofhttp://packetstormsecurity.com/files/158051/CallStranger-UPnP-Vulnerability-Checker.htmlhttp://www.openwall.com/lists/oss-security/2020/06/08/2https://corelight.blog/2020/06/10/detecting-the-new-callstranger-upnp-vulnerability-with-zeek/https://github.com/corelight/callstranger-detectorhttps://github.com/yunuscadirci/CallStrangerhttps://lists.debian.org/debian-lts-announce/2020/08/msg00011.htmlhttps://lists.debian.org/debian-lts-announce/2020/08/msg00013.htmlhttps://lists.debian.org/debian-lts-announce/2020/12/msg00017.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L3SHL4LOFGHJ3DIXSUIQELGVBDJ7V7LB/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MZDWHKGN3LMGSUEOAAVAMOD3IUIPJVOJ/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RQEYVY4D7LASH6AI4WK3IK2QBFHHF3Q2/https://usn.ubuntu.com/4494-1/https://www.callstranger.comhttps://www.debian.org/security/2020/dsa-4806https://www.debian.org/security/2021/dsa-4898https://www.kb.cert.org/vuls/id/339275https://www.tenable.com/blog/cve-2020-12695-callstranger-vulnerability-in-universal-plug-and-play-upnp-puts-billions-of
2020-06-08
Published