NAT-PMP Vulnerability
In this article we will learn about the latest NAT-PMP vulnerability being discovered, which will affect around 1.2 billion SOHO routers worldwide.
What is a SOHO network?
SOHO stands for small office/home office which is a type of LAN network being designed for very small networks. A SOHO network can be a mix of wired and wireless computers.
Learn Vulnerability Management
What is NAT-PMP?
First, let's refresh our concept of how traditional NAT works and why NAT-PMP was even required.
NAT devices have one or more external IP address associated with it. Enterprise internal architecture sits behind the NAT device. Clients which sit behind the NAT network use NAT device as their default gateway. When a packet from any device behind the NAT is sent to an address on the public Internet, the packet first passes through the NAT box. The NAT box looks at the source port and address. During this transmission of packets, NAT creates a mapping from the internal address and internal port to an external address and external port if a mapping does not already exist. The NAT box replaces the internal address and port in the packet with the external entries from the mapping and sends the packet on to the next gateway.
On receiving a packet from the internet on the external interface, the NAT will look up the destination address and port (external address and port) in the list of mappings. If an entry is found, it will contain the internal address and port to which the packet should be sent. The NAT gateway will then rewrite the destination address and port with those from the mapping and forward the packet to the new destination addresses. If the packet does not match any mapping, the packet will most likely be dropped.
The important thing to note is that if there is no mapping, the NAT does not know to which internal address the packet should be sent. Mappings are usually created automatically as a result of observing outbound packets. Manual configuration of mapping is to map an external port to a specific internal IP address and port to allow incoming connections to the device with that internal address. A manual configuration can also be done to forward the traffic to a particular IP in case no mapping is found.
To address the port mapping issue, NAT-PMP emerged, which allows client s to operate more like a host directly connected to the public network. NAT-PMP allows client hosts to communicate with the NAT gateway to request the creation of inbound mappings on demand. By creating a NAT mapping to allow inbound connections, the client can record its external IPv4 address and external port in a public registry like public DNS to make it accessible to peers that wish to communicate with it. Below are the steps that can work with NAT-PMP.
- Internal client requests to map UDP port 9999 from the Internet to its UDP port 9999.
- The NAT-PMP compatible NAT device will respond.
- Client then asks for the public address of the NAT-PMP device.
- NAT device responds with its address, e.g. p.q.r.s.
- After receiving the public address of NAT-PMP device, the internal client can now advertise about their service bound to port like p.q.r.s:9999/UDP to allow hosts from the Internet to connect to its services.
NAT-PMP Vulnerability Details
RFC 6886 clearly states that:
"The NAT gateway MUST NOT accept mapping requests destined to the NAT gateway's external IP address or received on its external network interface. Only packets received on the internal interface(s) with a destination address matching the internal address(es) of the NAT gateway should be allowed"
The root cause of the vulnerabilities is because of violation of these requirements by vendors. The following vulnerabilities can be carried out on a NAT-PMP device if configuration is not done properly. These vulnerabilities have been discovered by the Rapid 7 team.
-
Interception of Internal and External Traffic
If NAT-PMP is incorrectly configured to set its external interface as its internal interface which the client uses as their gateway, then it is possible for remote attackers to intercept TCP or UDP traffic destined to the internal interface of a NAT-PMP device. Since the internal interface is controlled by the attacker now, then all further attacks such as DNS, HTTP/Scan can be exploited.
Learn Vulnerability Management
Get hands-on experience with dozens of courses covering vulnerability assessments, tools, management and more.Similarly, external traffic can also be intercepted if a NAT-PMP device is incorrectly configured to set its NAT-PMP external interface to be the external interface that faces the public Internet and listens for NAT-PMP messages on both the internal and external interfaces. If this is the configuration, then it is possible for remote attackers from outside to intercept arbitrary TCP and UDP traffic destined from external hosts to and perhaps through the NAT-PMP device's external interface. Devices vulnerable to this will report the external address to be something external, often the public IPv4 address on the Internet.
This attack can also be used to cause the NAT-PMP device to respond to and forward traffic for services it isn't even listening on. For example, if the NAT-PMP device does not have a listening HTTP service on the external interface, this same flaw could be used to redirect inbound HTTP requests to another external host, making it appear that HTTP content hosted on the external host is hosted by the NAT-PMP device.
-
Internal NAT Client Services Exposed
Since internal and external traffic can be hacked and crafted to listen for external IPs for messages, and if NAT-PMP is incorrectly configured to listen for NAT-PMP messages on an untrusted interface such was a WAN interface connected to the Internet, it is possible to create mappings by spoofing NAT-PMP mapping requests by using a source address that matches a valid, internal network range served by the NAT-PMP device.
-
Denial of Service
Because the internal and external traffic can be controlled, then it is possible to redirect the NAT-PMP messages to an altogether different host, and further mappings can be restricted.
References
Learn Vulnerability Management
Build your vulnerability assessment and management skills with dozens of courses. What you'll learn- Vulnerability scanning
- Classifying and prioritizing
- Patching and mitigating
- Building a program
- And more
In this Series
- NAT-PMP Vulnerability
- The most popular binary exploitation techniques
- Roadmap for performing an Active Directory assessment
- The importance of asset visibility in the detection and remediation of vulnerabilities
- Digium Phones Under Attack and how web shells can be really dangerous
- vSingle is abusing GitHub to communicate with the C2 server
- The most dangerous vulnerabilities exploited in 2022
- Follina — Microsoft Office code execution vulnerability
- Spring4Shell vulnerability details and mitigations
- How criminals are taking advantage of Log4shell vulnerability
- Microsoft Autodiscover protocol leaking credentials: How it works
- How to write a vulnerability report
- How to report a security vulnerability to an organization
- PrintNightmare CVE vulnerability walkthrough
- Top 30 most exploited software vulnerabilities being used today
- The real dangers of vulnerable IoT devices
- How criminals leverage a Firefox fake extension to target Gmail accounts
- How criminals have abused a Microsoft Exchange flaw in the wild
- How to discover open RDP ports with Shodan
- Time to patch: Vulnerabilities exploited in under five minutes?
- Whitespace obfuscation: PHP malware, web shells and steganography
- New Sudo flaw used to root on any standard Linux installation
- Turla Crutch backdoor: analysis and recommendations
- Volodya/BuggiCorp Windows exploit developer: What you need to know
- AWS APIs abuse: Watch out for these vulnerable APIs
- How to reserve a CVE: From vulnerability discovery to disclosure
- SonicWall firewall VPN vulnerability (CVE-2020-5135): Overview and technical walkthrough
- Top 25 vulnerabilities exploited by Chinese nation-state hackers (NSA advisory)
- Zerologon CVE-2020-1472: Technical overview and walkthrough
- Unpatched address bar spoofing vulnerability impacts major mobile browsers
- Software vulnerability patching best practices: Patch everything, even if vendors downplay risks
- What is a vulnerability disclosure policy (VDP)?
- Common vulnerability assessment types
- Common security threats discovered through vulnerability assessments
- Android vulnerability allows attackers to spoof any phone number
- Malicious Docker images: How to detect vulnerabilities and mitigate risk
- Apache Guacamole Remote Desktop Protocol (RDP) vulnerabilities: What you need to know
- Linux vulnerabilities: How unpatched servers lead to persistent backdoors
- Tesla Model 3 vulnerability: What you need to know about the web browser bug
- How to identify and prevent firmware vulnerabilities
- Will CVSS v3 change everything? Understanding the new glossary
- URGENT/11 vulnerability
- 32 hardware and firmware vulnerabilities
- The Zero Day Initiative
- CVE-2018-11776 RCE Flaw in Apache Struts Could Be Root Cause of Clamorous Hacks
- XML vulnerabilities are still attractive targets for attackers
- Broadpwn Wi-Fi Vulnerability: How to Detect & Mitigate
- Mobile Systems Vulnerabilities
- 10 Security Vulnerabilities That Broke the World Wide Web in 2016
- Most Exploited Vulnerabilities: by Whom, When, and How
- Exploiting CVE-2015-8562 (A New Joomla! RCE)
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Vulnerabilities
Vulnerabilities
