Remote Attackers Can Now Reach Protected Network Devices via NAT Slipstreaming

nat slipstreaming internal network devices

A new version of NAT slipstreaming allows cybercriminals an easy path to devices that aren’t connected to the internet.

Disconnecting devices from the internet is no longer a solid plan for protecting them from remote attackers. A new version of a known network-address translation (NAT) slipstreaming attack has been uncovered, which would allow remote attackers to reach multiple internal network devices, even if those devices don’t have access to the internet.

According to researchers from Armis and Samy Kamkar, chief security officer and co-founder at Openpath Security, attackers can execute an attack by simply convincing one target with internet access on the network to click on a malicious link. From there, cybercriminals can gain access to other, non-exposed endpoints, including unmanaged devices like industrial controllers, with no further social engineering needed.

NAT is the process of connecting internal network devices to the outside internet; it essentially allows a router to securely allow multiple devices connected to it to share a single public IP address. In enterprise environments, NAT functions are combined with firewalls to provide better perimeter cybersecurity; products from Fortinet, Cisco and HPE all take this approach.

NAT Slipstreaming Overview

In the original NAT slipstreaming attack, revealed and mitigated in November, an attacker persuades a victim to visit a specially crafted website (via social engineering and other tactics); a victim within an internal network that clicks on it is then taken to an attacker’s website. The website in turn will fool the victim network’s NAT into opening an incoming path (of either a TCP or UDP port) from the internet to the victim device.

“Slipstreaming is easy to exploit as it’s essentially entirely automated and works cross-browser and cross-platform, and it doesn’t require any user interaction other than visiting the victim site,” Kamkar told Threatpost last fall.

In order to launch an attack, the victim’s device must also have an Application-Level Gateway (ALG) connection-tracking mechanism enabled, which is usually built into NATs. NAT slipstreaming exploits the user’s browser in conjunction with ALG.

“This attack takes advantage of arbitrary control of the data portion of some TCP and UDP packets without including HTTP or other headers; the attack performs this new packet-injection technique across all major modern (and older) browsers,” explained Kamkar.

In the attack, when a victim device visits an attacker-controlled website, JavaScript code running in the victim’s browser sends out additional traffic to the attacker’s server, which traverses through the network’s NAT/firewall.

“This second-phase traffic is crafted in such a way that the NAT is fooled to believe this traffic actually originated from an application that requires a second connection to take place, from the internet to the victim device, and to an internal port that the attacker can choose,” researchers explained. “This second connection can thus lead the attacker to access any service (TCP/UDP) on the victim’s device, directly from the internet.”

If, for example, the victim’s device is a Windows device vulnerable to EternalBlue, the attacker can access the SMB port on the victim device using this technique, from the internet, exploit the vulnerability, and take over the device.

“The only thing required for this attack to take place, is that the victim clicks on link, or visits a web page of which the attacker has implanted some JavaScript code,” researchers noted.

NAT Slipstreaming 2.0

The just-discovered approach variant simply extends the attack, researchers said.

Now, “attackers [can] fool the NAT in such a way that it will create incoming paths to any device on the internal network, and not only to the victim device that clicked on the link,” they explained, in a blog posting on Tuesday.

The issue lies in the H.323 ALG, where supported. Unlike most other ALGs, H.323 enables an attacker to create a pinhole in the NAT/firewall to any internal IP, rather than just the IP of the victim that clicks on the malicious link.

Meanwhile, WebRTC TURN connections can be established by browsers over TCP to any destination port. The browsers restricted-ports list was not consulted by this logic, and was therefore bypassed.

“This allows the attacker to reach additional ALGs, such as the FTP and IRC ALGs (ports 21, 6667) that were previously unreachable due to the restricted-ports list,” researchers said. “The FTP ALG is widely used in NATs/firewalls.”

A full proof-of-concept demonstration can be seen here:

The ability to reach devices without human interaction means that attackers can reach not only desktops but also other devices that don’t typically have human operators — unmanaged devices like printers, industrial controllers, Bluetooth accessories, IP cameras, sensors, smart lighting and more. The impact of attack on these can be severe, ranging from denial-of-service (DoS) to a full-blown ransomware attack, researchers noted.

Unmanaged Corporate Devices at Risk

“Unmanaged devices [often] don’t have inherent security capabilities, and often offer interfaces for controlling them and accessing their data with little-to-no authentication, within the internal network,” researchers explained. “Exposing these interfaces directly to the internet is a serious security risk.”

Researchers gave the example of an office printer that can be controlled through its default printing protocol, or through its internal web server. Using NAT slipstreaming, an attacker could knock it offline or cause it to print arbitrary documents. Depending on the printer’s features, cybercriminals could also access stored documents.

The researchers added that in order to carry those types of actions out, the newly exposed interface would itself need to be insecure, as is the case for other targets. Thus, once attackers form a web connection to the target, they would then need to access that target. Many unmanaged devices not connected to the internet don’t require passwords, researchers noted, or often remain unpatched.

“In addition to interfaces that are unauthenticated by design, many unmanaged devices may also be vulnerable to vulnerabilities that are publicly known, that can be exploited if an attacker is able to bypass the NAT/firewall, and initiate network traffic that can trigger them,” they wrote.

An example of this risk includes the 97 percent of industrial controllers recently found to remain vulnerable to the URGENT/11 group of security bugs. In many industrial scenarios, regular patching of unmanaged devices is a challenge since they often can’t be taken offline thanks to production requirements, researchers explained. Thus, “many organizations rely on perimeter security (firewalls and NATs) to keep their unpatched devices from being accessed by potential attackers on the internet.”

Once the perimeter is breached, attackers are free to exploit and take over vulnerable and open devices, and install remote access tools for further attacks.

Mitigations via Browser Patching

Like the original attack, the new version has been mitigated with browser patches, for Chrome, Safari, Firefox and Edge. Chromium is tracking the new variant via CVE-2020-16043, while Firefox is tracking it via CVE-2021-23961.

“While the underlying issue of this attack is the way NATs are implemented (in various ways in routers and firewalls, throughout numerous vendors and applications), the easiest and fastest way to mitigate was through a patch to browsers,” according to the advisory.

The updates are Chrome v87.0.4280.141, Firefox v85.0 and Safari v14.0.3, and Microsoft’s Edge browser is also now patched, since it relies on the Chromium source code.

Download our exclusive FREE Threatpost Insider eBook Healthcare Security Woes Balloon in a Covid-Era World, sponsored by ZeroNorth, to learn more about what these security risks mean for hospitals at the day-to-day level and how healthcare security teams can implement best practices to protect providers and patients. Get the whole story and DOWNLOAD the eBook now – on us!

Suggested articles

vmware

VMWare Patches Critical RCE Flaw in vCenter Server

The vulnerability, one of three patched by the company this week, could allow threat actors to breach the external perimeter of a data center or leverage backdoors already installed to take over a system.

Discussion

  • Konstantin on

    it is a bit wrong to make NAT to be responsible for that CVE . NAT is not a security feature, its goal to provide transparent connection between private networks and Internet. If browser allows to execute any side code and to initiate parallel outgoing connection - we should fix that problem first.
  • Matt on

    The browser isn't "executing side code" it's making a specially crafted cross-origin HTTP request, with the request body carefully crafted to fall across packet boundaries in a certain way, and NATs are picking up that data as a command - they should be ignoring it, since it's in the middle of a body of a standard HTTP request, not the first data sent over an HTTP connection. Scraping the middle of packets like that is not a safe, or generally compatible, behavior..
  • John on

    A bit clickbaity. If one node on the network is connected to the internet then by definition the network IS connected to the internet. A network not connected to the internet cannot be accessed from the internet.

Leave A Comment

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.