30 March 2021

Network Asset Traversal or NATural disaster: NAT Slipstreaming 2.0

New techniques for attacking internal network hosts located behind NAT systems have been published. The techniques are based on imitating legitimate SIP, H.323, IRC or FTP traffic. A technology called Application-Level Gateway (ALG) is maintained for these protocols on the NAT router to enable incoming packets to be retransmitted.

Exploitation of the vulnerability requires a malicious script to be first executed by a browser running on a host inside the victim’s local network. The malicious code (in the example provided by the researchers, JavaScript) communicates to a server controlled by the attackers over the internet in such a way that the NAT server’s ALG mechanism opens a temporary channel over which incoming packets are retransmitted to a host on the local network on a port selected by the attackers.

The original attack vector, which was identified by researcher Samy Kamkar, worked for those protocols supported by ALG which are not on the browser’s list of restricted protocols (e.g., for SIP and H.323, but not for FTP or IRC), enabling an attacker to gain access to the originally compromised host (the host running the malicious script in its browser) via one of these protocols. Browser developers responded by expanding the list of restricted protocols.

The new attack vector, demonstrated by Samy Kamkar and researchers from cybersecurity company Armis, additionally took advantage of two important issues.

First, as it turned out, browsers that supported the WebRTC technology to implement voice and video conferencing used a special logic when working with the following protocols:

  • STUN (Session Traversal Utilities for NAT) – enables a host behind NAT to determine the NAT type, the external IP and the port assigned by NAT to transmit packets to the other side and implement a P2P connection;
  • TURN (Traversal Using Relays around NAT) – sets up a temporary relay on the internet for traffic of a host located behind a NAT, enabling a P2P connection to be created even between hosts located behind a symmetric NAT.

When communicating to STUN and TURN servers, the browser logic implementing WebRTC support ignored lists of restricted ports. This essentially made it possible to use the browser to activate the ALG mechanism on the NAT server for protocols on the browser’s restricted list, making the host available from the internet over one of those protocols.

Second, the abuse of the H.323 protocol to create audio and video communication sessions has opened access via ALG not only to the originally compromised host on the network (on which the malicious code is executed in the browser) but also to any other host on the local network located behind the same NAT server as the compromised host.

The attack’s implementation has been demonstrated, among other examples, on an industrial network.

The researchers have tested and confirmed that the following popular solutions are vulnerable:

  • Routers and firewalls based on VyOS with Linux kernel version 4.14+. Over the H.323 protocol, any internal IP is exposed to an external attack; over the FTP protocol, any port of the originally compromised host only.
  • Various home routers built on ‘old’ Linux kernels (apparently, up to v4.14 – the researchers have provided no specific information and this requires an additional check in each specific case). Over H.323, any internal IP is exposed to an external attack; over FTP, any port of the originally compromised host only.
  • Fortigate FG64 VM, Fortigate 60E firewall appliance, Fortigate CGNAT(versions to be clarified). Over H.323, any internal IP is exposed to an external attack; over FTP, ports of the originally compromised host above 1024 only.
  • Сisco ASAv VM (versions to be clarified). Over H.323, any internal IP is exposed to an external attack; over FTP, ports of the originally compromised host above 1024 only.
  • Cisco csr1000v VM (versions to be clarified). Over H.323, any internal IP is exposed to an external attack.
  • HPE vsr1000 VM (versions to be clarified). Over H.323, any internal IP is exposed to an external attack; over FTP, any port of the originally compromised host only.
  • Sonicwall TZ300 (versions to be clarified). Over FTP, ports of the originally compromised host above 1024 only are exposed to an external attack.

It is likely that a large number of NAT systems are prone to the attack and the above list should by no means be considered final.

At least the following browsers can be used to carry out an attack:

Since, in most cases, devices on the operational technology (OT) networks of industrial enterprises are not updated regularly and often contain critical vulnerabilities, while enterprises rely primarily on perimeter protection, OT networks could prove to be extremely vulnerable to the NAT Slipstreaming 2.0 attack.

There currently exists no simple solution guaranteed to protect potentially vulnerable infrastructures against the attack vectors described above. We recommend taking the following measures to reduce the attack surface:

  1. Check whether ALG functionality is available on NAT devices used on the enterprise network. Where possible, disable ALG for those protocols which are not required for the enterprise’s operation. A special emphasis should be made on the H.323 protocol.
  2. Analyze the network’s segmentation. Restrict communications between different segments to those which are absolutely necessary.
  3. Block internet access from those segments of the network in which the most critical equipment is located. If possible, block internet access from all segments of the OT network.
  4. Update browsers to the latest versions on all devices on the enterprise network from which internet access is possible (see above).
  5. Restrict access to the corporate network for all personal mobile devices and devices with unknown or uncontrolled browser versions.
  6. Use antivirus protection on all hosts on the enterprise network and on the enterprise’s perimeter.
  7. Use an application launch control technology to allow only those browsers to be launched which are not vulnerable to different variants of the NAT Slipstreaming attack. Block browsers from being launched on those devices on which there is no operational need to use a browser. Where possible, use application whitelisting to allow only explicitly approved applications to run on OT network hosts.
  8. Use tools designed to monitor network traffic and detect attacks on systems on the enterprise’s OT network.

Sources: Blog by Samy Kamkar, Armis

Authors
  • Evgeny Goncharov

    Head of Kaspersky ICS CERT

  • Sergey Melnikov

    Senior Security Analyst, Kaspersky ICS CERT