CVE-2020-12695 - Incorrect Default Permissions

Severity

93%

Complexity

39%

Confidentiality

78%

The Open Connectivity Foundation UPnP specification before 2020-04-17 does not forbid the acceptance of a subscription request with a delivery URL on a different network segment than the fully qualified event-subscription URL, aka the CallStranger issue.

CVSS 3.1 Base Score 9.3. CVSS Attack Vector: network. CVSS Attack Complexity: low. CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:H).

CVSS 2.0 Base Score 7.8. CVSS Attack Vector: network. CVSS Attack Complexity: medium. CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:C).

CVSS 3.1 Base Score 7.5. CVSS Attack Vector: network. CVSS Attack Complexity: high. CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:H).

Overview

First reported 4 years ago

2020-06-08 17:15:00

Last updated 4 years ago

2020-12-11 00:15:00

Affected Software

HP ENVY 5000 M2U85A

HP ENVY 5000 M2U85B

HP ENVY 5000 M2U91A

HP ENVY 5000 M2U94B

HP ENVY 5000 Z4A54A

HP ENVY 5000 Z4A74A

HP ENVY Photo 6200 K7G18A

HP ENVY Photo 6200 K7G26B

HP ENVY Photo 6200 K7S21B

HP ENVY Photo 6200 Y0K13D

HP ENVY Photo 6200 Y0K15A

HP ENVY Photo 7100 3XD89A

HP ENVY Photo 7100 K7G93A

HP ENVY Photo 7100 K7G99A

HP ENVY Photo 7100 Z3M37A

HP ENVY Photo 7100 Z3M52A

HP ENVY Photo 7800 K7R96A

HP ENVY Photo 7800 K7S00A

HP ENVY Photo 7800 K7S10D

HP ENVY Photo 7800 Y0G42D

HP ENVY Photo 7800 Y0G52B

Huawei HG255s

ZTE ZXV10 W300 Router

References

[oss-security] 20200608 hostapd: UPnP SUBSCRIBE misbehavior in hostapd WPS AP

https://github.com/yunuscadirci/CallStranger

https://www.callstranger.com

https://www.kb.cert.org/vuls/id/339275

https://www.tenable.com/blog/cve-2020-12695-callstranger-vulnerability-in-universal-plug-and-play-upnp-puts-billions-of

http://packetstormsecurity.com/files/158051/CallStranger-UPnP-Vulnerability-Checker.html

http://packetstormsecurity.com/files/158051/CallStranger-UPnP-Vulnerability-Checker.html

Third Party Advisory, VDB Entry

[oss-security] 20200608 hostapd: UPnP SUBSCRIBE misbehavior in hostapd WPS AP

Mailing List, Third Party Advisory

https://github.com/yunuscadirci/CallStranger

Third Party Advisory

https://www.callstranger.com

Third Party Advisory

https://www.kb.cert.org/vuls/id/339275

Third Party Advisory, US Government Resource

https://www.tenable.com/blog/cve-2020-12695-callstranger-vulnerability-in-universal-plug-and-play-upnp-puts-billions-of

Third Party Advisory

https://corelight.blog/2020/06/10/detecting-the-new-callstranger-upnp-vulnerability-with-zeek/

https://github.com/corelight/callstranger-detector

FEDORA-2020-df3e1cfde9

FEDORA-2020-1f7fc0d0c9

FEDORA-2020-e538e3e526

[debian-lts-announce] 20200806 [SECURITY] [DLA 2315-1] gupnp security update

[debian-lts-announce] 20200808 [SECURITY] [DLA 2318-1] wpa security update

USN-4494-1

DSA-4806

[debian-lts-announce] 20201210 [SECURITY] [DLA 2489-1] minidlna security update

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.