Connect with us

Hi, what are you looking for?


Endpoint Security

NAT Slipstreaming 2.0 Exposes Devices on Internal Networks to Remote Attacks

A newly devised variant of the NAT Slipstreaming attack can be leveraged to compromise any device on the local network, according to researchers at enterprise IoT security firm Armis.

A newly devised variant of the NAT Slipstreaming attack can be leveraged to compromise any device on the local network, according to researchers at enterprise IoT security firm Armis.

Detailed in late October 2020, the NAT Slipstreaming attack relies on tricking the victim into accessing a specially crafted website and exploits the browser on the device, along with the Application Level Gateway (ALG), a connection tracking mechanism in Network Address Translation (NAT), firewalls, and routers.

The attack was meant to bypass existing browser-based port restrictions and allow the attacker to remotely access TCP/UDP services on the victim’s device, even if it was protected by a firewall or NAT.

In a research paper published on Tuesday, Armis security researchers detailed a variant of the attack, dubbed NAT Slipstreaming 2.0, that can bypass mitigations for NAT Slipstreaming, and which also expands the attacker’s reach, allowing them to create paths to any device on the internal network.

“This puts embedded, unmanaged, devices at greater risk, by allowing attackers to expose devices located on internal networks, directly to the Internet,” the security researchers note.

They underline that unmanaged devices are at greater risk, as they often lack security capabilities, require little-to-no authentication for data access, and may be impacted by vulnerabilities that have been publicly disclosed but remain unpatched.

Such devices may include printers exposed through the default printing protocol, industrial controllers using unauthenticated protocols, and IP cameras that have an internal web server secured with default credentials.

Advertisement. Scroll to continue reading.

In this context, Armis says, the NAT Slipstreaming attack is no longer just a nuisance, as it can be abused to launch sophisticated ransomware campaigns.

In devising the new attack variant, Armis’ researchers Ben Seri and Gregory Vishnipolsky worked together with Samy Kamkar, the researcher who discovered the original NAT Slipstreaming attack. The new attack is based on new primitives and allows for connections to any destination ports, fully bypassing the mitigations that browser makers have introduced for NAT Slipstreaming.

Just as before, the attacker needs to craft a website containing malicious code and then trick the victim into accessing that website. The code sends multiple fetch requests from the victim browser on H.323 port (1720), thus allowing the attacker to “iterate through a range of IP addresses and ports, each time opening an IP/port to the Internet,” for reconnaissance.

Fixes for the issue were included in all major web browsers, namely Chrome v87.0.4280.142, Firefox v85.0, and Safari v14.0.3. Microsoft’s Edge, which relies on the Chromium source code, is also patched. The bug is tracked as CVE-2020-16043 in Chromium and CVE-2021-23961 in Firefox.

The mitigations all browser makers added to their software involved making two changes, namely adding the TCP/UDP ports of all known ALGs to the list of restricted ports, and enforcing the list on WebRTC connections as well.

“While this isn’t a ‘fix’, the issue discussed isn’t really a ‘bug’, as everything is working pretty much as intended. The real ‘fix’ would be every user and sysadmin disabling all ALGs, as this feature is fundamentally broken. We consider this mitigation sufficient to prevent this issue from being used as an actual attack vector,” Armis notes.

Related: NAT Slipstreaming: Visiting Malicious Site Can Expose Local Network Services to Remote Attacks

Related: DNSpooq Flaws Expose Millions of Devices to DNS Cache Poisoning, Other Attacks

Related: ‘State of the Firewall’ Report: Automation Key to Preventing Costly Misconfigurations

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...