Categories: Hacking

NAT-PMP Protocol Vulnerability affects more than 1.2 Million SOHO devices

Security researchers at Rapid7 have discovered a serious NAT-PMP Protocol vulnerability that puts 1.2 Million SOHO routers at risk.

Another serious security flaw is threatening more than 1.2 million SOHO Routers worldwide, the vulnerability is related to the “improper NAT-PMP protocol implementations and configuration flaws“, as explained by Jon Hart, a researcher at Rapid7.

Hart explained the that the security issued was discovered by the researchers after a scan of the public Internet as part of Project Sonar, which is an ongoing study on public Internet-facing websites and devices.

The exploitation of the vulnerability allows an attacker to conduct many malicious activities, most serious and dangerous among them being the ability to redirect traffic to a website controlled by the attackers.

In reality, as reported by Rapid7 CSO HD Moore, the Metasploit framework already includes modules to run attacks exploiting NAT-PMP vulnerabilities, the principal problem according to the expert is that the scan did not help Rapid7 to identify the specific products affected by the flaw.

As anticipated the options are different, threat actors could cause a denial-of-service condition of the targeted device, could provide the access to the device settings and to the internal NAT client services.

What is the NAT-PMP?

NAT-PMP is technologies that allows, among other things, Internet applications to configure SOHO routers and gateways, bypassing manual port forwarding configuration. NAT-PMP runs over UDP port 5351 and automates the process of port forwarding. It is used by many networking devices to allow external users access to resources behind a NAT.

The NAT-PMP protocol is widespread due to its simplicity, but as highlighted by Hart it requires careful configuration to avoid serious problems. During the scanning activity, the experts noticed nearly 1.2 million devices on the public Internet that responded to their external NAT-PMP solicitations. The responses provided represent two categories of security vulnerabilities:

malicious port mapping manipulation.
information disclosure about the NAT-PMP device.

The analysis published by Hart detailed the following specific security:

Interception of Internal NAT Traffic: ~30,000 (2.5% of responding devices)
Interception of External Traffic: ~1.03m (86% of responding devices)
Access to Internal NAT Client Services: ~1.06m (88% of responding devices)
DoS Against Host Services: ~1.06m (88% of responding devices)
Information Disclosure about the NAT-PMP device: ~1.2m (100% of responding devices)

Moore explained that the interception of external traffic is a very serious issue:

“That will allow someone running a malware command and control kit or something like that to turn your system into a reverse proxy serving malicious traffic, start hosting malicious site on your router’s IP,” said Moore, “The way they do that is from the malicious system to flip the mapping back to you from all these vulnerable routers. And because of the way the protocol works, you don’t have to actually know where these devices are. You can literally spray them out across the ether.”

Hart explained vulnerable devices are not compliant with the RFC 6886 specification, which states that a NAT gateway must not be configured to accept mapping requests for the external IP address it has on the Internet.

“The NAT gateway MUST NOT accept mapping requests destined to the NAT gateway’s external IP address or received on its external network interface. Only packets received on the internal interface(s) with a destination address matching the internal address(es) of the NAT gateway should be allowed.” the specification says.

Hart also added that traffic meant for the device running NAT-PMP internal interface is less likely at risk yet it can be redirected off the network to a service controlled by the attackers.

“This attack can also be used to cause the NAT-PMP device to respond to and forward traffic for services it isn’t even listening on,” Hart wrote. “For example, if the NAT-PMP device does not have a listening HTTP service on the external interface, this same flaw could be used to redirect inbound HTTP requests to another external host, making it appear that HTTP content hosted on the external host is hosted by the NAT-PMP device.”

Security researchers close the post with a series of recommendations for vendors, ISPs and final users.

” Vendors producing products with NAT-PMP capabilities should take care to ensure that flaws like the ones disclosed in this document are not possible in normal and perhaps even abnormal configurations. ISPs and entities that act like ISPs should take care to ensure that the access devices provided to customers are similarly free from these flaws. Lastly, for consumers with NAT-PMP capable devices on your network, your should ensure that all NAT-PMP traffic is prohibited on un-trusted network interfaces.”

Pierluigi Paganini

(Security Affairs – NAT-PMP, hacking)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.