Remote Attackers Can Now Reach Protected Network Devices via NAT Slipstreaming

Disconnecting devices from the internet is no longer a solid plan for protecting them from remote attackers. A new version of a known network-address translation (NAT) slipstreaming attack has been uncovered, which would allow remote attackers to reach multiple internal network devices, even if those devices don’t have access to the internet.

According to researchers from Armis and Samy Kamkar, chief security officer and co-founder at Openpath Security, attackers can execute an attack by simply convincing one target with internet access on the network to click on a malicious link. From there, cybercriminals can gain access to other, non-exposed endpoints, including unmanaged devices like industrial controllers, with no further social engineering needed.

NAT is the process of connecting internal network devices to the outside internet; it essentially allows a router to securely allow multiple devices connected to it to share a single public IP address. In enterprise environments, NAT functions are combined with firewalls to provide better perimeter cybersecurity; products from Fortinet, Cisco and HPE all take this approach.

NAT Slipstreaming Overview

In the original NAT slipstreaming attack, revealed and mitigated in November, an attacker persuades a victim to visit a specially crafted website (via social engineering and other tactics); a victim within an internal network that clicks on it is then taken to an attacker’s website. The website in turn will fool the victim network’s NAT into opening an incoming path (of either a TCP or UDP port) from the internet to the victim device.

“Slipstreaming is easy to exploit as it’s essentially entirely automated and works cross-browser and cross-platform, and it doesn’t require any user interaction other than visiting the victim site,” Kamkar told Threatpost last fall.

In order to launch an attack, the victim’s device must also have an Application-Level Gateway (ALG) connection-tracking mechanism enabled, which is usually built into NATs. NAT slipstreaming exploits the user’s browser in conjunction with ALG.

“This attack takes advantage of arbitrary control of the data portion of some TCP and UDP packets without including HTTP or other headers; the attack performs this new packet-injection technique across all major modern (and older) browsers,” explained Kamkar.

In the attack, when a victim device visits an attacker-controlled website, JavaScript code running in the victim’s browser sends out additional traffic to the attacker’s server, which traverses through the network’s NAT/firewall.

“This second-phase traffic is crafted in such a way that the NAT is fooled to believe this traffic actually originated from an application that requires a second connection to take place, from the internet to the victim device, and to an internal port that the attacker can choose,” researchers explained. “This second connection can thus lead the attacker to access any service (TCP/UDP) on the victim’s device, directly from the internet.”

If, for example, the victim’s device is a Windows device vulnerable to EternalBlue, the attacker can access the SMB port on the victim device using this technique, from the internet, exploit the vulnerability, and take over the device.

“The only thing required for this attack to take place, is that the victim clicks on link, or visits a web page of which the attacker has implanted some JavaScript code,” researchers noted.

NAT Slipstreaming 2.0

The just-discovered approach variant simply extends the attack, researchers said.

Now, “attackers [can] fool the NAT in such a way that it will create incoming paths to any device on the internal network, and not only to the victim device that clicked on the link,” they explained, in a blog posting on Tuesday.

The issue lies in the H.323 ALG, where supported. Unlike most other ALGs, H.323 enables an attacker to create a pinhole in the NAT/firewall to any internal IP, rather than just the IP of the victim that clicks on the malicious link.

Meanwhile, WebRTC TURN connections can be established by browsers over TCP to any destination port. The browsers restricted-ports list was not consulted by this logic, and was therefore bypassed.

“This allows the attacker to reach additional ALGs, such as the FTP and IRC ALGs (ports 21, 6667) that were previously unreachable due to the restricted-ports list,” researchers said. “The FTP ALG is widely used in NATs/firewalls.”

A full proof-of-concept demonstration can be seen here:

The ability to reach devices without human interaction means that attackers can reach not only desktops but also other devices that don’t typically have human operators — unmanaged devices like printers, industrial controllers, Bluetooth accessories, IP cameras, sensors, smart lighting and more. The impact of attack on these can be severe, ranging from denial-of-service (DoS) to a full-blown ransomware attack, researchers noted.

Unmanaged Corporate Devices at Risk

“Unmanaged devices [often] don’t have inherent security capabilities, and often offer interfaces for controlling them and accessing their data with little-to-no authentication, within the internal network,” researchers explained. “Exposing these interfaces directly to the internet is a serious security risk.”

Researchers gave the example of an office printer that can be controlled through its default printing protocol, or through its internal web server. Using NAT slipstreaming, an attacker could knock it offline or cause it to print arbitrary documents. Depending on the printer’s features, cybercriminals could also access stored documents.

The researchers added that in order to carry those types of actions out, the newly exposed interface would itself need to be insecure, as is the case for other targets. Thus, once attackers form a web connection to the target, they would then need to access that target. Many unmanaged devices not connected to the internet don’t require passwords, researchers noted, or often remain unpatched.

“In addition to interfaces that are unauthenticated by design, many unmanaged devices may also be vulnerable to vulnerabilities that are publicly known, that can be exploited if an attacker is able to bypass the NAT/firewall, and initiate network traffic that can trigger them,” they wrote.

An example of this risk includes the 97 percent of industrial controllers recently found to remain vulnerable to the URGENT/11 group of security bugs. In many industrial scenarios, regular patching of unmanaged devices is a challenge since they often can’t be taken offline thanks to production requirements, researchers explained. Thus, “many organizations rely on perimeter security (firewalls and NATs) to keep their unpatched devices from being accessed by potential attackers on the internet.”

Once the perimeter is breached, attackers are free to exploit and take over vulnerable and open devices, and install remote access tools for further attacks.

Mitigations via Browser Patching

Like the original attack, the new version has been mitigated with browser patches, for Chrome, Safari, Firefox and Edge. Chromium is tracking the new variant via CVE-2020-16043, while Firefox is tracking it via CVE-2021-23961.

“While the underlying issue of this attack is the way NATs are implemented (in various ways in routers and firewalls, throughout numerous vendors and applications), the easiest and fastest way to mitigate was through a patch to browsers,” according to the advisory.

The updates are Chrome v87.0.4280.141, Firefox v85.0 and Safari v14.0.3, and Microsoft’s Edge browser is also now patched, since it relies on the Chromium source code.

Download our exclusive FREE Threatpost Insider eBook Healthcare Security Woes Balloon in a Covid-Era World, sponsored by ZeroNorth, to learn more about what these security risks mean for hospitals at the day-to-day level and how healthcare security teams can implement best practices to protect providers and patients. Get the whole story and DOWNLOAD the eBook now – on us!