Google Chrome 87 Closes High-Severity ‘NAT Slipstreaming’ Hole

google chrome code execution bug

Overall Google’s Chrome 87 release fixed 33 security vulnerabilities.

Google has released patches for several high-severity vulnerabilities in its Chrome browser with the rollout of Chrome 87 for Windows, Mac and Linux users.

Overall, Google fixed 33 vulnerabilities in its latest version, Chrome 87.0.4280.66, which is being rolled out over the coming days. This includes one high-severity CVE (CVE-2020-16022) that could allow a remote attacker to bypass security restrictions and access any Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) port on a victim’s computer. This issue was disclosed on Oct. 31 by Samy Kamkar, security researcher and co-founder of Openpath, who called the attack “NAT slipstreaming.”

“Slipstreaming is easy to exploit as it’s essentially entirely automated and works cross-browser and cross-platform, and doesn’t require any user interaction other than visiting the victim site,” Kamkar told Threatpost.

At a high level, an attacker could remotely exploit the flaw by persuading a victim to visit a specially crafted website (via social engineering and other tactics). The attacker would then be able to bypass security restrictions.

“NAT Slipstreaming allows an attacker to remotely access any TCP/UDP service bound to a victim machine, bypassing the victim’s NAT/firewall (arbitrary firewall pinhole control), just by the victim visiting a website,” Kamkar said in his analysis of the issue.

The attack specifically centralizes around Network Address Translation (NAT), which translates the IP addresses of computers in a local network to a single IP address. NAT allows a single device (like a router) to act as an agent between the Internet and a local network – meaning that a single unique IP address is required to represent an entire group of computers to anything outside their network.

In order to launch an attack, the victim’s device must also have the Application Level Gateway (ALG) connection tracking mechanism that’s built into NATs. NAT Slipstreaming exploits the user’s browser in conjunction with ALG.

“This attack takes advantage of arbitrary control of the data portion of some TCP and UDP packets without including HTTP or other headers; the attack performs this new packet injection technique across all major modern (and older) browsers, and is a modernized version to my original NAT Pinning technique from 2010 (presented at DEFCON 18 + Black Hat 2010),” said Kamkar.

Google said the issue here is caused by an insufficient policy enforcement in networking. However, Kamkar said he doesn’t consider NAT Slipstreaming to be technically a flaw as there’s no actual “bug” in browsers or routers and both are doing exactly as they’re supposed to. “Rather it’s an unexpected side-effect of a complex interaction between the two systems that’s being exploited,” he told Threatpost.

Other browsers – including Mozilla Firefox and Chromium rendering engine Blink – have plans in the works to release their own updates addressing this problem.

Other High-Severity Flaws

Google released patches for several other high-severity vulnerabilities – however, as is typical for the browser, it stayed mum on the details of the bugs “until the majority of users are updated with a fix.”

Other flaws include a use-after-free glitch (CVE-2020-16018) in the payments component of Chrome, reported by Man Yue Mo of GitHub Security Lab; as well as a use-after-free error in Google’s PPAPI browser plug-in interface (CVE-2020-16014) reported by Rong Jian and Leecraso of 360 Alpha Lab.

Two high-severity “inappropriate implementations” were also discovered – one in the filesystem component (CVE-2020-16019) and one in the cryptohome component (CVE-2020-16020). Both were discovered by Rory McNamara.

And, heap buffer overflow bugs were also discovered in the UI (CVE-2020-16024) and clipboard (CVE-2020-16025) components. Both were reported by Sergei Glazunov of Google Project Zero.

This most recent Chrome update comes a week after two high-severity zero day vulnerabilities were disclosed in the Chrome desktop browser. The two flaws (CVE-2020-16013 and CVE-2020-16017) have been actively exploited in the wild, and allow an unauthenticated, remote attacker to compromise an affected system via the web.  A stable channel update, 86.0.4240.198 for Windows, Mac and Linux, was released last week that addressed the flaws.

2020 Healthcare Cybersecurity Priorities: Data Security, Ransomware and Patching

Hackers Put Bullseye on Healthcare: On Nov. 18 at 2 p.m. EDT find out why hospitals are getting hammered by ransomware attacks in 2020. Save your spot for this FREE webinar on healthcare cybersecurity priorities and hear from leading security voices on how data security, ransomware and patching need to be a priority for every sector, and why. Join us Wed., Nov. 18, 2-3 p.m. EDT for this LIVE, limited-engagement webinar.

Suggested articles