NAT Slipstreaming 2.0: a New Variety that Exposes Network Devices

A few months ago we talked about NAT Slipstreaming, a technique that allows attackers to bypass the firewall and remotely access a TCP / UDP service. This problem could seriously compromise security. It basically consisted of sending a malicious link and, once opened, it would activate a door to any port. In this article, we echo NAT Slipstreaming 2.0 , a new attack that could compromise internal networks.

NAT Slipstreaming 2.0, the new attack that compromises internal networks

It is a designed variant of the NAT Slipstreaming attack that can be exploited to compromise and expose any device on an internal network, according to the latest research. This discovery has been published by enterprise IoT security company Armis. The new attack, registered as CVE-2020-16043 and CVE-2021-23961 , builds on the previously revealed technique to bypass routers and firewalls and reach any unmanaged device within the internal network from the Internet.

NAT Slipstreaming 2.0

The original attack was first revealed by security researcher Samy Kamkar at the end of October 2020. This attack was based on JavaScript and consisted of enticing a user to visit a malicious site to bypass port restrictions based on the browser and allow the attacker to remotely access TCP / UDP services on the victim’s device. This occurred even in those that were protected by a firewall or NAT.

It should be noted that a few weeks after this problem was detected, mitigations emerged for the main browsers such as Google Chrome, Mozilla Firefox or Safari. Now researchers indicate that the new technique, NAT Slipstreaming 2.0, could pose a greater risk by allowing attackers to expose devices located on internal networks directly to the Internet.

Crear o comprar malware

Many vulnerable devices

There are many vulnerable devices that could potentially be exposed. We can include printers, IP cameras and other network controllers. All of them could be exploited once the NAT / firewall is tricked into opening network traffic to the victim’s device.

Security researchers who have discovered this new variant indicate that the use of the new NAT Slipstreaming attack to access these types of interfaces from the Internet can result in sophisticated attacks, such as a ransomware threat.

Basically we can say that NAT Slipstreaming allows a hacker to bypass NAT / firewall and remotely access any TCP / UDP service linked to a victim’s computer as a result of visiting a website infected with malware specially designed for this purpose. .

Malicious JavaScript code running in the victim’s browser extracts the internal IP address and takes advantage of TCP / IP packet segmentation to create TCP / UDP models and subsequently create a Session Initiation Protocol (SIP) packet that Contains the internal IP address within an HTTP POST outbound request through TCP port 5060.

The researchers indicate that this is achieved by carefully setting the value of a hacker-controlled TCP connection from the victim’s browser to an attacker’s server, so that a TCP segment in the middle of the HTTP request is completely controlled by the attacker. .

NAT Slipstreaming 2.0 is similar to the aforementioned attack in that it uses the same approach but relies on the VoIP H.323 protocol instead of SIP to send multiple recovery requests to the attacker’s server on port H.323 (1720). This allows the attacker to iterate through a range of IP addresses and ports, opening each of them to the Internet.

We leave you an article with tips to improve the physical security of the devices.

Join The Discussion

This site uses Akismet to reduce spam. Learn how your comment data is processed.