Menu
What's new
By:
Filters Better Search

Nat slipstreaming 2.0

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

P

podkaracz

Guest
So again ive found info about next generation of previous attack. And here is the question how does it work and is this mitigated ? Because it seems like its higher in severity (8.8). Ive seen only info about nat slipstreaming 1.0 here on forum but not about 2.0

threatpost.com

Remote Attackers Can Now Reach Protected Network Devices via NAT Slipstreaming

A new version of NAT slipstreaming allows cybercriminals an easy path to devices that aren't connected to the internet.
threatpost.com threatpost.com

CVE-2021-23961 , CVE-2020-16043

"The issue lies in the H.323 ALG, where supported. Unlike most other ALGs, H.323 enables an attacker to create a pinhole in the NAT/firewall to any internal IP, rather than just the IP of the victim that clicks on the malicious link.
Meanwhile, WebRTC TURN connections can be established by browsers over TCP to any destination port. The browsers restricted-ports list was not consulted by this logic, and was therefore bypassed.
“This allows the attacker to reach additional ALGs, such as the FTP and IRC ALGs (ports 21, 6667) that were previously unreachable due to the restricted-ports list,” researchers said. “The FTP ALG is widely used in NATs/firewalls."


Here is the in depth analysis:

www.armis.com

NAT Slipstreaming v2.0

RESEARCH // NAT SLIPSTREAMING V2.0 NAT Slipstreaming v2.0 This new attack variant exposes all internal network devices to the internet. GENERAL OVERVIEW
www.armis.com www.armis.com
 
Last edited by a moderator:
I think for now (other then disabling SIP/ALG) mitigation is in this statement;

“While the underlying issue of this attack is the way NATs are implemented (in various ways in routers and firewalls, throughout numerous vendors and applications), the easiest and fastest way to mitigate was through a patch to browsers,” according to the advisory.

The updates are Chrome v87.0.4280.141, Firefox v85.0 and Safari v14.0.3, and Microsoft’s Edge browser is also now patched, since it relies on the Chromium source code.
 
itpp20 said:
I think for now (other then disabling SIP/ALG) mitigation is in this statement;

“While the underlying issue of this attack is the way NATs are implemented (in various ways in routers and firewalls, throughout numerous vendors and applications), the easiest and fastest way to mitigate was through a patch to browsers,” according to the advisory.

The updates are Chrome v87.0.4280.141, Firefox v85.0 and Safari v14.0.3, and Microsoft’s Edge browser is also now patched, since it relies on the Chromium source code.
Click to expand...
I think you are wrong its not only about sip (it was when it was first discovered in version 1.0 but now its about h.323 that bypassed the browser mitigation from nat slipstreaming v1. so its better to disable it all because tomorrow it might be something different that is not documented yet.)
I remember when there was nat slipstreaming 1.0 one guy said "turn that crap off because today we have this tomorrow we have another". And he was the true prophet we can say today. I turned everything off in that tab but that Ftp_alg port that is there is annoying because people here on forum had to write custom scripts to disable it and there should be toggle for this too. Ill write to asus for them to tell me how to properly disable this ftp_alg port from nat passthrough tab.
 
Last edited by a moderator:
Being on top of security concerns is one thing, this is at a different level though. :)

@podkaracz, do you use anything with h.323? If not, this is a non-issue for you.

If you do, you're open to a lot more security issues than this one too.
 
This was already answered in that other thread. Just make sure the NAT helper is not enabled, that`s all there is to this.
 
RMerlin said:
This was already answered in that other thread. Just make sure the NAT helper is not enabled, that`s all there is to this.
Click to expand...

I dont use anything from that passthrough tab. And yes i remember thread that was about nat slipstreaming 1.0 but here h.323 was exploited and its different as in first exploit sip was the target and h.323 is enabled by default on asus routers and from what i can see it doesnt have to be in enabled + helper mode to be exploited. Having it enabled was enough to get compromised 1 week ago before browsers got patched (closed more ports). So its better to make a thread to advise disabling it as its enabled by default. I dont understand it fully so i wont argue with people more knowledgeable like @RMerlin but i saw article stating enabled is enough.
 
Last edited by a moderator:
You must log in or register to reply here.
Similar threads
Thread starter Title Forum Replies Date
C Solved Need help with nat-start scripts Asuswrt-Merlin 3
Mr Solis Enabling NAT Acceleration (CTF) breaks Port Forwarding? (RT-AC68U w/ 386.12_4) Asuswrt-Merlin 17
Z wgclient-start with iptables nat rules after router reboot Asuswrt-Merlin 19
K Double NAT? Asuswrt-Merlin 1
H WireGuard Server "Enable NAT - IPv6" Setting Question Asuswrt-Merlin 0
M NAT over VPN? Asuswrt-Merlin 1
Nas.CloudBusinessPortal Double nat & dhcp Asuswrt-Merlin 10
N Asus AC66U and full cone NAT Asuswrt-Merlin 11
Y ASUS AC86U Firmware merlin 386.11 - NAT Loopback not working please help ! Asuswrt-Merlin 6
Mogsy Solved Need help with NAT fix. Asuswrt-Merlin 1

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 1,043 (members: 34, guests: 1,009)
Top