Researchers develop new approach to original technique that exposed only the victim’s device
UPDATED A new variant of the freshly minted NAT slipstreaming attack has emerged that could use unmanaged, internal network devices as a bridgehead to – in the worst-case scenario – ransomware infection.
‘NAT slipstreaming’, a packet injection technique recently developed by security researcher Samy Kamkar, allows attackers to bypass a network’s firewall and network address translation (NAT) once a victim clicks on a malicious link.
In the original technique – covered by The Daily Swig in November – the NAT is inadvertently duped into opening an incoming TCP/UDP port path from the internet to the device used by the victim.
Enterprise-grade NATs or firewalls from Fortinet, Cisco, and HPE were confirmed as vulnerable to varying degrees, with others “likely affected as well”.
Devices that lack security capabilities such as robust (or any) authentication for accessing administrative interfaces are particularly vulnerable.
These ‘unmanaged’ devices can include office printers that are controllable through a default printing protocol or internal web server, industrial controllers controlled by an unauthenticated protocol, or IP cameras whose feed is accessible with default credentials.
Armis has produced videos demonstrating the new variant in action within office and, embedded below, industrial environments.
“Once the perimeter is breached, these unpatched, unmanaged devices can be easy targets for attackers to take over, preserve a presence in the network, and act as RATs (remote access tools) through which any further attack can take place,” says Ben Seri.
Attackers could also exploit known device vulnerabilities, such as the critical URGENT/11 flaws still unpatched in 97% of vulnerable industrial controllers more than a year after disclosure, said the researchers.
The new variant uses additional primitives to bypass browser patches that partially mitigated the original technique.
Firstly, “unlike most other ALGs, the H.323 ALG, where supported, enables an attacker to create a pinhole in the NAT/firewall to any internal IP, rather than just the IP of the victim that clicks on the malicious link”.
Secondly, “WebRTC TURN connections can be established by browsers over TCP to any destination port. The browser’s restricted-ports list was not consulted by this logic, and was therefore bypassed”.
The attacker can also reach ALGs “that were previously unreachable due to the restricted-ports list”.
Most products tested were “affected at least in some way”, and in most cases “the effect is pretty much a full bypass of the firewall/NATs protection”, said Seri.
Subsequent patches issued for Chrome (on January 6), Edge (January 7), Safari (January 14, so far only in beta), and Firefox (January 26) have added TCP/UDP ports of known ALGs to the restricted-ports list and enforced this list on WebRTC connections.
Google Chrome has now also blocked access to websites on another seven TCP ports to further protect users.
Although browsers have added “restricted-port lists, same-site origin policy, and other mitigation mechanisms” since Kamkar exploited similar security issues in a 2010 bypass, the expansion of functionality has introduced additional, potentially problematic primitives, says Seri.
Beyond short-term browser-side mitigations, a long-term solution “will require a fundamental change of” router and firewall vendors’ implementations, he adds.
Security was not the main driver “for the creation of NATs” but rather “mainly a by-product of the potential exhaustion of IPv4 addresses”.
Legacy requirements such as ALGs still underpin NAT design and bypassing attacks that “are found again and again.”
This article was updated on January 31 with the news that Google has introduced additional mitigations to Chrome.