Security Experts:

NAT Slipstreaming 2.0 Exposes Devices on Internal Networks to Remote Attacks

A newly devised variant of the NAT Slipstreaming attack can be leveraged to compromise any device on the local network, according to researchers at enterprise IoT security firm Armis.

Detailed in late October 2020, the NAT Slipstreaming attack relies on tricking the victim into accessing a specially crafted website and exploits the browser on the device, along with the Application Level Gateway (ALG), a connection tracking mechanism in Network Address Translation (NAT), firewalls, and routers.

The attack was meant to bypass existing browser-based port restrictions and allow the attacker to remotely access TCP/UDP services on the victim’s device, even if it was protected by a firewall or NAT.

In a research paper published on Tuesday, Armis security researchers detailed a variant of the attack, dubbed NAT Slipstreaming 2.0, that can bypass mitigations for NAT Slipstreaming, and which also expands the attacker’s reach, allowing them to create paths to any device on the internal network.

“This puts embedded, unmanaged, devices at greater risk, by allowing attackers to expose devices located on internal networks, directly to the Internet,” the security researchers note.

They underline that unmanaged devices are at greater risk, as they often lack security capabilities, require little-to-no authentication for data access, and may be impacted by vulnerabilities that have been publicly disclosed but remain unpatched.

Such devices may include printers exposed through the default printing protocol, industrial controllers using unauthenticated protocols, and IP cameras that have an internal web server secured with default credentials.

In this context, Armis says, the NAT Slipstreaming attack is no longer just a nuisance, as it can be abused to launch sophisticated ransomware campaigns.

In devising the new attack variant, Armis’ researchers Ben Seri and Gregory Vishnipolsky worked together with Samy Kamkar, the researcher who discovered the original NAT Slipstreaming attack. The new attack is based on new primitives and allows for connections to any destination ports, fully bypassing the mitigations that browser makers have introduced for NAT Slipstreaming.

Just as before, the attacker needs to craft a website containing malicious code and then trick the victim into accessing that website. The code sends multiple fetch requests from the victim browser on H.323 port (1720), thus allowing the attacker to “iterate through a range of IP addresses and ports, each time opening an IP/port to the Internet,” for reconnaissance.

Fixes for the issue were included in all major web browsers, namely Chrome v87.0.4280.142, Firefox v85.0, and Safari v14.0.3. Microsoft’s Edge, which relies on the Chromium source code, is also patched. The bug is tracked as CVE-2020-16043 in Chromium and CVE-2021-23961 in Firefox.

The mitigations all browser makers added to their software involved making two changes, namely adding the TCP/UDP ports of all known ALGs to the list of restricted ports, and enforcing the list on WebRTC connections as well.

“While this isn’t a ‘fix’, the issue discussed isn’t really a ‘bug’, as everything is working pretty much as intended. The real ‘fix’ would be every user and sysadmin disabling all ALGs, as this feature is fundamentally broken. We consider this mitigation sufficient to prevent this issue from being used as an actual attack vector,” Armis notes.

Related: NAT Slipstreaming: Visiting Malicious Site Can Expose Local Network Services to Remote Attacks

Related: DNSpooq Flaws Expose Millions of Devices to DNS Cache Poisoning, Other Attacks

Related: 'State of the Firewall' Report: Automation Key to Preventing Costly Misconfigurations

view counter