CVE-2020-12695
CVE-2020-12695
The Open Connectivity Foundation UPnP specification before 2020-04-17 does not forbid the acceptance of a subscription request with a delivery URL on a different network segment than the fully qualified event-subscription URL, aka the CallStranger issue.
Affected products
n/a · n/aWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
http://packetstormsecurity.com/files/158051/CallStranger-UPnP-Vulnerability-Checker.htmlhttps://corelight.blog/2020/06/10/detecting-the-new-callstranger-upnp-vulnerability-with-zeek/https://github.com/corelight/callstranger-detectorhttps://github.com/yunuscadirci/CallStrangerhttps://lists.debian.org/debian-lts-announce/2020/08/msg00011.htmlhttps://lists.debian.org/debian-lts-announce/2020/08/msg00013.htmlhttps://lists.debian.org/debian-lts-announce/2020/12/msg00017.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L3SHL4LOFGHJ3DIXSUIQELGVBDJ7V7LB/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MZDWHKGN3LMGSUEOAAVAMOD3IUIPJVOJ/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RQEYVY4D7LASH6AI4WK3IK2QBFHHF3Q2/https://usn.ubuntu.com/4494-1/https://www.callstranger.com