CVE-2020-12695: UniFi Controller Auth Bypass Vulnerability

CVE-2020-12695 Overview

CVE-2020-12695, commonly known as the "CallStranger" vulnerability, is a protocol-level flaw in the Universal Plug and Play (UPnP) specification maintained by the Open Connectivity Foundation. The vulnerability exists because the UPnP specification before April 17, 2020 does not forbid the acceptance of a subscription request with a delivery URL on a different network segment than the fully qualified event-subscription URL. This design weakness allows attackers to abuse UPnP-enabled devices for data exfiltration, DDoS amplification attacks, and internal network scanning.

Critical Impact

Attackers can leverage billions of UPnP-enabled devices worldwide to exfiltrate data past network security controls, launch amplified DDoS attacks, and conduct reconnaissance on internal networks without authentication.

Affected Products

• Microsoft Windows 10 and Xbox One
• Cisco WAP131, WAP150, and WAP351 Wireless Access Points
• HP Envy, Deskjet, and OfficeJet Printer Series
• Epson XP Series Printers
• Huawei HG255S and HG532E Routers
• TP-Link Archer C50
• ASUS RT-N11
• Netgear WNHDE111
• ZyXEL AMG1202-T10B and VMG8324-B10A
• Debian Linux 9.0 and 10.0
• Fedora 31 and 32
• Canonical Ubuntu Linux 20.04 LTS

Discovery Timeline

• June 8, 2020 - CVE-2020-12695 published to NVD
• November 21, 2024 - Last updated in NVD database

Technical Details for CVE-2020-12695

Vulnerability Analysis

The CallStranger vulnerability stems from a fundamental design flaw in the UPnP protocol's SUBSCRIBE functionality. UPnP devices implementing the eventing mechanism allow clients to register callback URLs where event notifications should be delivered. The protocol specification failed to mandate that callback URLs must reside on the same network segment as the requesting device, creating an opportunity for Server-Side Request Forgery (SSRF) attacks.

The vulnerability can be exploited in three primary attack scenarios. First, attackers can use vulnerable UPnP devices as proxies to exfiltrate data from internal networks to external servers, bypassing Data Loss Prevention (DLP) systems and network security controls. Second, the flaw enables reflection-based DDoS amplification attacks where a small subscription request triggers larger notification responses directed at victim systems. Third, attackers can leverage the vulnerability to scan internal networks and enumerate services behind firewalls by observing callback responses.

The exploitation requires network-level access to send UPnP SUBSCRIBE requests to vulnerable devices, though the scope change allows impacts beyond the vulnerable component itself to affect other systems on different network segments.

Root Cause

The root cause is classified as CWE-276 (Incorrect Default Permissions), where the UPnP specification's permissive default behavior allows callback URLs to point to arbitrary network locations. The protocol design assumed trusted local network environments and failed to implement origin validation or network boundary checks for subscription callback destinations. This architectural decision made before security-by-design principles were widely adopted left billions of deployed devices vulnerable.

Attack Vector

The attack vector is network-based and does not require authentication or user interaction. An attacker sends specially crafted SUBSCRIBE requests to UPnP-enabled devices, specifying a callback URL that points to either an external server (for data exfiltration) or an internal resource (for network scanning). The vulnerable device then sends event notifications to the attacker-controlled destination.

For data exfiltration, the attacker encodes sensitive data in the SUBSCRIBE request parameters, which the device then relays to the external callback URL. For DDoS amplification, attackers specify the victim's IP address as the callback destination, causing multiple devices to flood the target with notification traffic. For internal reconnaissance, the attacker monitors response timing and content to map internal network topology and services.

Detection Methods for CVE-2020-12695

Indicators of Compromise

• Unusual outbound UPnP traffic (typically port 1900 UDP for discovery, various TCP ports for subscriptions) to external IP addresses
• SUBSCRIBE requests with callback URLs pointing to non-local network segments or public IP addresses
• High volumes of UPnP event notifications originating from internal devices to unexpected destinations
• Network logs showing UPnP devices making connections to external servers they wouldn't normally communicate with

Detection Strategies

• Deploy network monitoring to identify UPnP SUBSCRIBE requests containing external callback URLs using tools like the Corelight Zeek CallStranger Detector
• Implement Deep Packet Inspection (DPI) rules to flag UPnP traffic where the callback header contains IP addresses outside the local subnet
• Use the CallStranger Vulnerability Checker to scan your network for vulnerable devices
• Monitor for anomalous traffic patterns from IoT devices, printers, and network equipment that may indicate exploitation

Monitoring Recommendations

• Establish baseline UPnP traffic patterns and alert on deviations indicating potential abuse
• Configure SIEM rules to correlate UPnP activity with network boundary crossings
• Implement egress filtering monitoring to detect data exfiltration attempts via UPnP callbacks
• Review firewall logs for blocked outbound connections from devices that don't typically require external network access

How to Mitigate CVE-2020-12695

Immediate Actions Required

• Disable UPnP on all devices where the functionality is not explicitly required, especially on internet-facing network segments
• Configure firewalls to block inbound UPnP discovery (UDP port 1900) and subscription traffic from untrusted networks
• Apply firmware updates from device vendors that implement callback URL validation according to the updated UPnP specification
• Segment IoT devices and printers onto isolated network VLANs with restricted external communication capabilities

Patch Information

The Open Connectivity Foundation updated the UPnP specification on April 17, 2020 to address this vulnerability. Individual device manufacturers have released firmware updates implementing the specification changes. Consult vendor security advisories for specific patch availability:

• Debian Security Advisory DSA-4806 and DSA-4898 for hostapd updates
• Ubuntu Security Notice USN-4494-1 for affected Ubuntu packages
• Fedora Package Announcements for Fedora updates
• Review CERT Vulnerability Note VU#339275 for comprehensive vendor response information

Workarounds

• Block UPnP traffic at network perimeters using firewall rules that deny inbound traffic on UDP port 1900 and common UPnP subscription ports
• Implement network segmentation to isolate UPnP-capable devices from sensitive network segments and prevent lateral movement
• Use NAT and egress filtering to restrict which internal devices can communicate with external networks
• Deploy intrusion detection/prevention systems with signatures for CallStranger exploitation attempts

# Example iptables rules to block UPnP discovery and limit exposure
# Block inbound SSDP/UPnP discovery from external networks
iptables -A INPUT -p udp --dport 1900 -i eth0 -j DROP
iptables -A INPUT -p udp --sport 1900 -i eth0 -j DROP

# Block outbound UPnP traffic from IoT VLAN to external networks
iptables -A FORWARD -s 192.168.10.0/24 -p udp --dport 1900 -o eth0 -j DROP
iptables -A FORWARD -s 192.168.10.0/24 -p tcp --dport 5000 -o eth0 -j DROP