Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Hacking

NAT-PMP Protocol Vulnerability affects more than 1.2 Million SOHO devices

Security researchers at Rapid7 have discovered a serious NAT-PMP Protocol vulnerability that puts 1.2 Million SOHO routers at risk. Another serious security flaw is threatening more than 1.2 million SOHO Routers worldwide, the vulnerability is related to the “improper NAT-PMP protocol implementations and configuration flaws“, as explained by Jon Hart, a researcher at Rapid7. Hart explained the that […]

NAT-PMP Protocol Vulnerability affects more than 1.2 Million SOHO devices

Security researchers at Rapid7 have discovered a serious NAT-PMP Protocol vulnerability that puts 1.2 Million SOHO routers at risk.

Another serious security flaw is threatening more than 1.2 million SOHO Routers worldwide, the vulnerability is related to the “improper NAT-PMP protocol implementations and configuration flaws“, as explained by Jon Hart, a researcher at Rapid7.

Hart explained the that the security issued  was discovered by the researchers after a scan of the public Internet as part of Project Sonar, which is an ongoing  study on public Internet-facing websites and devices.

The exploitation of the vulnerability allows an attacker to conduct many malicious activities, most serious and dangerous among them being the ability to redirect traffic to a website controlled by the attackers.

In reality, as reported by Rapid7 CSO HD Moore, the Metasploit framework already includes modules to run attacks exploiting NAT-PMP vulnerabilities, the principal problem according to the expert is that the scan did not help Rapid7 to identify the specific products affected by the flaw.

nat-pmp metasploit

As anticipated the options are different, threat actors could cause a denial-of-service condition of the targeted device, could provide the access to the device settings and to the internal NAT client services.

What is the NAT-PMP?

NAT-PMP is technologies that allows, among other things, Internet applications to configure SOHO routers and gateways, bypassing manual port forwarding configuration. NAT-PMP runs over UDP port 5351 and automates the process of port forwarding. It is used by many networking devices to allow external users access to resources behind a NAT.

nat-pmp protocol

The NAT-PMP protocol is widespread due to its simplicity, but as highlighted by Hart it requires careful configuration to avoid serious problems. During the scanning activity, the experts noticed nearly 1.2 million devices on the public Internet that responded to their external NAT-PMP solicitations. The responses provided represent two categories of security vulnerabilities:

  • malicious port mapping manipulation.
  • information disclosure about the NAT-PMP device.

The analysis published by Hart detailed the following specific security:

  • Interception of Internal NAT Traffic: ~30,000 (2.5% of responding devices)
  • Interception of External Traffic: ~1.03m (86% of responding devices)
  • Access to Internal NAT Client Services: ~1.06m (88% of responding devices)
  • DoS Against Host Services: ~1.06m (88% of responding devices)
  • Information Disclosure about the NAT-PMP device: ~1.2m (100% of responding devices)

Moore explained that the interception of external traffic is a very serious issue:

“That will allow someone running a malware command and control kit or something like that to turn your system into a reverse proxy serving malicious traffic, start hosting malicious site on your router’s IP,” said Moore,  “The way they do that is from the malicious system to flip the mapping back to you from all these vulnerable routers. And because of the way the protocol works, you don’t have to actually know where these devices are. You can literally spray them out across the ether.”

Hart explained vulnerable devices are not compliant with the RFC 6886 specification, which states that a NAT gateway must not be configured to accept mapping requests for the external IP address it has on the Internet.

“The NAT gateway MUST NOT accept mapping requests destined to the NAT gateway’s external IP address or received on its external network interface.  Only packets received on the internal interface(s) with a destination address matching the internal address(es) of the NAT gateway should be allowed.” the specification says. 

Hart also added that traffic meant for the device running NAT-PMP internal interface is less likely at risk yet it can be redirected off the network to a service controlled by the attackers.

“This attack can also be used to cause the NAT-PMP device to respond to and forward traffic for services it isn’t even listening on,” Hart wrote. “For example, if the NAT-PMP device does not have a listening HTTP service on the external interface, this same flaw could be used to redirect inbound HTTP requests to another external host, making it appear that HTTP content hosted on the external host is hosted by the NAT-PMP device.”

Security researchers close the post with a series of recommendations for vendors, ISPs and final users.

” Vendors producing products with NAT-PMP capabilities should take care to ensure that flaws like the ones disclosed in this document are not possible in normal and perhaps even abnormal configurations. ISPs and entities that act like ISPs should take care to ensure that the access devices provided to customers are similarly free from these flaws.  Lastly, for consumers with NAT-PMP capable devices on your network, your should ensure that all NAT-PMP traffic is prohibited on un-trusted network interfaces.”

Pierluigi Paganini

(Security Affairs – NAT-PMP, hacking)