CVE-2020-12695

Name of the Vulnerable Software and Affected Versions Open Connectivity Foundation UPnP specification versions prior to 2020-04-17 4thline cling versions 2.0.0 through 2.1.2

Description The issue is related to the UPnP protocol, which allows remote attackers to cause a denial of service via an unchecked CALLBACK parameter in the request header. This vulnerability can be exploited to extract data from networks, scan ports of computers on the internal network, and amplify DDoS attacks using millions of connected UPnP devices, such as cable modems, home routers, game consoles, IP cameras, TV set-top boxes, media centers, and printers. The estimated number of potentially affected devices worldwide is not specified, but it is known to affect a wide range of devices, including PC with Windows 10, Xbox One, modems and routers from different manufacturers, smart TVs, and "smart home" devices.

Recommendations For Open Connectivity Foundation UPnP specification versions prior to 2020-04-17: Consider disabling the UPnP protocol until a patch is available. For 4thline cling versions 2.0.0 through 2.1.2: As 4thline cling is no longer supported by the maintainers, consider upgrading to a supported alternative or disabling the vulnerable CALLBACK parameter in the request header. As a temporary workaround, consider restricting access to the UPnP protocol to minimize the risk of exploitation. Additionally, consider closing UPnP ports to prevent potential attacks.