In this article we will learn about the latest NAT-PMP vulnerability being discovered, which will affect around 1.2 billion SOHO routers worldwide.
What is a SOHO network?
SOHO stands for small office/home office which is a type of LAN network being designed for very small networks. A SOHO network can be a mix of wired and wireless computers.
What is NAT-PMP?
First, let’s refresh our concept of how traditional NAT works and why NAT-PMP was even required.
NAT devices have one or more external IP address associated with it. Enterprise internal architecture sits behind the NAT device. Clients which sit behind the NAT network use NAT device as their default gateway. When a packet from any device behind the NAT is sent to an address on the public Internet, the packet first passes through the NAT box. The NAT box looks at the source port and address. During this transmission of packets, NAT creates a mapping from the internal address and internal port to an external address and external port if a mapping does not already exist. The NAT box replaces the internal address and port in the packet with the external entries from the mapping and sends the packet on to the next gateway.
On receiving a packet from the internet on the external interface, the NAT will look up the destination address and port (external address and port) in the list of mappings. If an entry is found, it will contain the internal address and port to which the packet should be sent. The NAT gateway will then rewrite the destination address and port with those from the mapping and forward the packet to the new destination addresses. If the packet does not match any mapping, the packet will most likely be dropped.
The important thing to note is that if there is no mapping, the NAT does not know to which internal address the packet should be sent. Mappings are usually created automatically as a result of observing outbound packets. Manual configuration of mapping is to map an external port to a specific internal IP address and port to allow incoming connections to the device with that internal address. A manual configuration can also be done to forward the traffic to a particular IP in case no mapping is found.
To address the port mapping issue, NAT-PMP emerged, which allows client s to operate more like a host directly connected to the public network. NAT-PMP allows client hosts to communicate with the NAT gateway to request the creation of inbound mappings on demand. By creating a NAT mapping to allow inbound connections, the client can record its external IPv4 address and external port in a public registry like public DNS to make it accessible to peers that wish to communicate with it. Below are the steps that can work with NAT-PMP.
- Internal client requests to map UDP port 9999 from the Internet to its UDP port 9999.
- The NAT-PMP compatible NAT device will respond.
- If the exact mapping was possible, then outside traffic port 9999/UDP has been forwarded to your port 9999/UDP.
- If exact mapping is not possible, then a random-port/UDP has been forwarded to your port 9999/UDP.
- Client then asks for the public address of the NAT-PMP device.
- NAT device responds with its address, e.g. p.q.r.s.
- After receiving the public address of NAT-PMP device, the internal client can now advertise about their service bound to port like p.q.r.s:9999/UDP to allow hosts from the Internet to connect to its services.
NAT-PMP Vulnerability Details
RFC 6886 clearly states that:
“The NAT gateway MUST NOT accept mapping requests destined to the NAT gateway’s external IP address or received on its external network interface. Only packets received on the internal interface(s) with a destination address matching the internal address(es) of the NAT gateway should be allowed“
The root cause of the vulnerabilities is because of violation of these requirements by vendors. The following vulnerabilities can be carried out on a NAT-PMP device if configuration is not done properly. These vulnerabilities have been discovered by the Rapid 7 team.
Interception of Internal and External Traffic
If NAT-PMP is incorrectly configured to set its external interface as its internal interface which the client uses as their gateway, then it is possible for remote attackers to intercept TCP or UDP traffic destined to the internal interface of a NAT-PMP device. Since the internal interface is controlled by the attacker now, then all further attacks such as DNS, HTTP/Scan can be exploited.
Similarly, external traffic can also be intercepted if a NAT-PMP device is incorrectly configured to set its NAT-PMP external interface to be the external interface that faces the public Internet and listens for NAT-PMP messages on both the internal and external interfaces. If this is the configuration, then it is possible for remote attackers from outside to intercept arbitrary TCP and UDP traffic destined from external hosts to and perhaps through the NAT-PMP device’s external interface. Devices vulnerable to this will report the external address to be something external, often the public IPv4 address on the Internet.
This attack can also be used to cause the NAT-PMP device to respond to and forward traffic for services it isn’t even listening on. For example, if the NAT-PMP device does not have a listening HTTP service on the external interface, this same flaw could be used to redirect inbound HTTP requests to another external host, making it appear that HTTP content hosted on the external host is hosted by the NAT-PMP device.
Internal NAT Client Services Exposed
Since internal and external traffic can be hacked and crafted to listen for external IPs for messages, and if NAT-PMP is incorrectly configured to listen for NAT-PMP messages on an untrusted interface such was a WAN interface connected to the Internet, it is possible to create mappings by spoofing NAT-PMP mapping requests by using a source address that matches a valid, internal network range served by the NAT-PMP device.
Denial of Service
Because the internal and external traffic can be controlled, then it is possible to redirect the NAT-PMP messages to an altogether different host, and further mappings can be restricted.