Security Experts:

1.2 Million Networking Devices Vulnerable Due to NAT-PMP Issues

Researchers have found that a large number of networking devices are vulnerable to cyberattacks because of poor implementation or configuration of the Network Address Translation - Port Mapping Protocol (NAT-PMP).

Jon Hart, a security researcher with Rapid7, reported on Tuesday that the security firm identified roughly 1.2 million Internet-connected devices affected by malicious port mapping manipulation and information disclosure vulnerabilities.

NAT-PMP is a UDP protocol deployed on NAT devices that allows users from a public network (i.e., the Internet) to access TCP or UDP services from a private network that's located behind the NAT device. NAT-PMP is usually found in small office/home office (SOHO) routers and other networking devices.

 NAT-PMP is designed for use on networks where clients are trusted, so there aren't any security mechanisms built into the protocol. Some implementations, however, do include some restrictions to prevent abuse.

According to Hart, all of the 1.2 million devices identified during Rapid7's scans appear to disclose information on the NAT-PMP device. Approximately 88% of the devices allow denial-of-service (DoS) attacks against host services, and access to internal NAT client services. Over 1 million of the devices allow interception of external traffic, while around 30,000 allow interception of internal traffic.

The information disclosure issue exposes external IP addresses and ports, but the researcher says they pose relatively little risk. The other issues described by the security firm can be exploited through malicious NAT-PMP port mapping manipulation.

For example, the interception of internal traffic can be used to obtain information on sensitive internal services, such as DNS and HTTP/HTTPS administration. An attacker can also use port mapping to access  services provided by clients behind the NAT device by spoofing NAT-PMP port mapping requests. A malicious actor can cause the device to enter a DoS state by requesting an external port mapping for a UDP or TCP service that is already listening on that port.

By leveraging the information disclosure flaw, Rapid7 was able to identify the location of vulnerable devices. Experts found affected devices in Argentina (145,866), the Russian Federation (133,126), China (119,043), Brazil (110,007), India (99,168), Malaysia (89,934), the United States (64,182), Mexico (50,662), Singapore (49,713) and Portugal (18,863).

Researchers believe most of the devices they have identified are vulnerable due to incorrect configurations of MiniUPnP, a lightweight Universal Plug and Play (UPnP) library that is used in a large number of devices.

Rapid7 has attempted to identify the companies whose products are vulnerable, but the task proved challenging. The security firm asked CERT/CC to handle the notification of potentially affected vendors and organizations. While no CVE identifiers have been assigned for the security holes, CERT/CC has cataloged them as VU#184540.

"The vulnerabilities disclosed in this advisory are not theoretical, however how many devices on the public Internet are actually vulnerable to the more severe traffic interception issues is unknown.  Vendors producing products with NAT-PMP capabilities should take care to ensure that flaws like the ones disclosed in this document are not possible in normal and perhaps even abnormal configurations," Hart explained. "ISPs and entities that act like ISPs should take care to ensure that the access devices provided to customers are similarly free from these flaws.  Lastly, for consumers with NAT-PMP capable devices on your network, your should ensure that all NAT-PMP traffic is prohibited on un-trusted network interfaces."

After learning of the security issues uncovered by Rapid7, the MiniUPnP Project took some steps to protect users against the attacks described by researchers, Hart said.

Additional details on the NAT-PMP research are available on Rapid7's blog.


view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.