NAT-PMP Protocol Vulnerability Puts 1.2 Million SOHO Routers At Risk

More than 1 million SOHO routers and embedded devices are vulnerable to a serious vulnerability in the NAT-PMP protocol that enables traffic hijacking and denial of service attacks.

Vulnerabilities in embedded devices, in particular small office and home office routers, have been relentless. Another serious issue was discovered this week that affects more than 1.2 million such devices due to improper NAT-PMP protocol implementations, most of which run counter to the specification under which it was designed.

The security flaw allows an attacker any number of avenues for trouble, most serious among them being the ability to redirect traffic to an attacker. Hackers can also cause a denial-of-service condition against host services, access internal NAT client services, and in 100 percent of cases seen so far, learn device configuration information.

Jon Hart, a researcher with Rapid7, said this week the scale of the problem was discovered after a scan of the public Internet as part of Project Sonar, an ongoing security analysis of public Internet-facing websites and devices.

NAT-PMP, or Network Address Translation Port-Mapping Protocol, is a UDP port-mapping protocol used by networking devices in order to allow external users access to file sharing services and other internal services behind a NAT device. The protocol is compatible with a number of operating systems and until recently was found in a number of Apple devices, including the Apple AirPort Wi-Fi base station. Hart said that NAT-PMP is a simple protocol that requires careful configuration, otherwise illicit access can be exposed.

Hart’s scan concluded that 1.2 million devices were vulnerable to attacks that could facilitate malicious port-mapping that enables siphoning of private traffic.

Hart’s scan concluded that 1.2 million devices were vulnerable to attacks that could facilitate malicious port-mapping that enables siphoning of private traffic on internal and external interfaces of a NAT device, he said. RFC 6886, the NAT-PMP specification, specifically says the NAT gateway must not be configured to accept mapping requests meant for its external IP address. “Only packets received on the internal interfaces with a destination address matching the internal addresses of the NAT gateway should be allowed,” the spec says. Some vendors, Hart said, are not following the spec to the letter.

Rapid7 CSO HD Moore said attacks against NAT-PMP vulnerabilities have been integrated into Metasploit for at least two years, and are fairly simple to pull off. The difficulty here in terms of a fix is that the scan did not help Rapid7 identify vendors or specific products affected by the vulnerability.

Moore said that interception of external traffic is the most serious issue here.

“That will allow someone running a malware command and control kit or something like that to turn your system into a reverse proxy serving malicious traffic, start hosting malicious site on your router’s IP,” said Moore, speaking on behalf of Hart who was unavailable. “The way they do that is from the malicious system to flip the mapping back to you from all these vulnerable routers. And because of the way the protocol works, you don’t have to actually know where these devices are. You can literally spray them out across the ether.”

Hart explained in a blogpost that traffic meant for the device running NAT-PMP internal interface is less likely at risk yet it can be redirected off the network to the hacker.

“This attack can also be used to cause the NAT-PMP device to respond to and forward traffic for services it isn’t even listening on,” Hart wrote. “For example, if the NAT-PMP device does not have a listening HTTP service on the external interface, this same flaw could be used to redirect inbound HTTP requests to another external host, making it appear that HTTP content hosted on the external host is hosted by the NAT-PMP device.”

Suggested articles