P
podkaracz
Guest
So again ive found info about next generation of previous attack. And here is the question how does it work and is this mitigated ? Because it seems like its higher in severity (8.8). Ive seen only info about nat slipstreaming 1.0 here on forum but not about 2.0
CVE-2021-23961 , CVE-2020-16043
"The issue lies in the H.323 ALG, where supported. Unlike most other ALGs, H.323 enables an attacker to create a pinhole in the NAT/firewall to any internal IP, rather than just the IP of the victim that clicks on the malicious link.
Meanwhile, WebRTC TURN connections can be established by browsers over TCP to any destination port. The browsers restricted-ports list was not consulted by this logic, and was therefore bypassed.
“This allows the attacker to reach additional ALGs, such as the FTP and IRC ALGs (ports 21, 6667) that were previously unreachable due to the restricted-ports list,” researchers said. “The FTP ALG is widely used in NATs/firewalls."
Here is the in depth analysis:
Remote Attackers Can Now Reach Protected Network Devices via NAT Slipstreaming
A new version of NAT slipstreaming allows cybercriminals an easy path to devices that aren't connected to the internet.
threatpost.com
CVE-2021-23961 , CVE-2020-16043
"The issue lies in the H.323 ALG, where supported. Unlike most other ALGs, H.323 enables an attacker to create a pinhole in the NAT/firewall to any internal IP, rather than just the IP of the victim that clicks on the malicious link.
Meanwhile, WebRTC TURN connections can be established by browsers over TCP to any destination port. The browsers restricted-ports list was not consulted by this logic, and was therefore bypassed.
“This allows the attacker to reach additional ALGs, such as the FTP and IRC ALGs (ports 21, 6667) that were previously unreachable due to the restricted-ports list,” researchers said. “The FTP ALG is widely used in NATs/firewalls."
Here is the in depth analysis:
NAT Slipstreaming v2.0
RESEARCH // NAT SLIPSTREAMING V2.0 NAT Slipstreaming v2.0 This new attack variant exposes all internal network devices to the internet. GENERAL OVERVIEW
www.armis.com
Last edited by a moderator: