Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

1.2 Million Networking Devices Vulnerable Due to NAT-PMP Issues

Researchers have found that a large number of networking devices are vulnerable to cyberattacks because of poor implementation or configuration of the Network Address Translation – Port Mapping Protocol (NAT-PMP).

Researchers have found that a large number of networking devices are vulnerable to cyberattacks because of poor implementation or configuration of the Network Address Translation – Port Mapping Protocol (NAT-PMP).

Jon Hart, a security researcher with Rapid7, reported on Tuesday that the security firm identified roughly 1.2 million Internet-connected devices affected by malicious port mapping manipulation and information disclosure vulnerabilities.

NAT-PMP is a UDP protocol deployed on NAT devices that allows users from a public network (i.e., the Internet) to access TCP or UDP services from a private network that’s located behind the NAT device. NAT-PMP is usually found in small office/home office (SOHO) routers and other networking devices.

 NAT-PMP is designed for use on networks where clients are trusted, so there aren’t any security mechanisms built into the protocol. Some implementations, however, do include some restrictions to prevent abuse.

According to Hart, all of the 1.2 million devices identified during Rapid7’s scans appear to disclose information on the NAT-PMP device. Approximately 88% of the devices allow denial-of-service (DoS) attacks against host services, and access to internal NAT client services. Over 1 million of the devices allow interception of external traffic, while around 30,000 allow interception of internal traffic.

The information disclosure issue exposes external IP addresses and ports, but the researcher says they pose relatively little risk. The other issues described by the security firm can be exploited through malicious NAT-PMP port mapping manipulation.

For example, the interception of internal traffic can be used to obtain information on sensitive internal services, such as DNS and HTTP/HTTPS administration. An attacker can also use port mapping to access  services provided by clients behind the NAT device by spoofing NAT-PMP port mapping requests. A malicious actor can cause the device to enter a DoS state by requesting an external port mapping for a UDP or TCP service that is already listening on that port.

By leveraging the information disclosure flaw, Rapid7 was able to identify the location of vulnerable devices. Experts found affected devices in Argentina (145,866), the Russian Federation (133,126), China (119,043), Brazil (110,007), India (99,168), Malaysia (89,934), the United States (64,182), Mexico (50,662), Singapore (49,713) and Portugal (18,863).

Advertisement. Scroll to continue reading.

Researchers believe most of the devices they have identified are vulnerable due to incorrect configurations of MiniUPnP, a lightweight Universal Plug and Play (UPnP) library that is used in a large number of devices.

Rapid7 has attempted to identify the companies whose products are vulnerable, but the task proved challenging. The security firm asked CERT/CC to handle the notification of potentially affected vendors and organizations. While no CVE identifiers have been assigned for the security holes, CERT/CC has cataloged them as VU#184540.

“The vulnerabilities disclosed in this advisory are not theoretical, however how many devices on the public Internet are actually vulnerable to the more severe traffic interception issues is unknown.  Vendors producing products with NAT-PMP capabilities should take care to ensure that flaws like the ones disclosed in this document are not possible in normal and perhaps even abnormal configurations,” Hart explained. “ISPs and entities that act like ISPs should take care to ensure that the access devices provided to customers are similarly free from these flaws.  Lastly, for consumers with NAT-PMP capable devices on your network, your should ensure that all NAT-PMP traffic is prohibited on un-trusted network interfaces.”

After learning of the security issues uncovered by Rapid7, the MiniUPnP Project took some steps to protect users against the attacks described by researchers, Hart said.

Additional details on the NAT-PMP research are available on Rapid7’s blog.

 

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

DARPA veteran Dan Kaufman has joined Badge as SVP, AI and Cybersecurity.

Kelly Shortridge has been promoted to VP of Security Products at Fastly.

After the passing of Amit Yoran, Tenable has appointed Steve Vintz and Mark Thurmond as co-CEOs.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.