Table of Contents
A few months ago we talked about NAT Slipstreaming, a technique that allows attackers to bypass the firewall and remotely access a TCP / UDP service. This problem could seriously compromise security. It basically consisted of sending a malicious link and, once opened, it would activate a door to any port. In this article, we echo NAT Slipstreaming 2.0 , a new attack that could compromise internal networks.
NAT Slipstreaming 2.0, the new attack that compromises internal networks
It is a designed variant of the NAT Slipstreaming attack that can be exploited to compromise and expose any device on an internal network, according to the latest research. This discovery has been published by enterprise IoT security company Armis. The new attack, registered as CVE-2020-16043 and CVE-2021-23961 , builds on the previously revealed technique to bypass routers and firewalls and reach any unmanaged device within the internal network from the Internet.
It should be noted that a few weeks after this problem was detected, mitigations emerged for the main browsers such as Google Chrome, Mozilla Firefox or Safari. Now researchers indicate that the new technique, NAT Slipstreaming 2.0, could pose a greater risk by allowing attackers to expose devices located on internal networks directly to the Internet.
Many vulnerable devices
There are many vulnerable devices that could potentially be exposed. We can include printers, IP cameras and other network controllers. All of them could be exploited once the NAT / firewall is tricked into opening network traffic to the victim’s device.
Security researchers who have discovered this new variant indicate that the use of the new NAT Slipstreaming attack to access these types of interfaces from the Internet can result in sophisticated attacks, such as a ransomware threat.
Basically we can say that NAT Slipstreaming allows a hacker to bypass NAT / firewall and remotely access any TCP / UDP service linked to a victim’s computer as a result of visiting a website infected with malware specially designed for this purpose. .
The researchers indicate that this is achieved by carefully setting the value of a hacker-controlled TCP connection from the victim’s browser to an attacker’s server, so that a TCP segment in the middle of the HTTP request is completely controlled by the attacker. .
NAT Slipstreaming 2.0 is similar to the aforementioned attack in that it uses the same approach but relies on the VoIP H.323 protocol instead of SIP to send multiple recovery requests to the attacker’s server on port H.323 (1720). This allows the attacker to iterate through a range of IP addresses and ports, opening each of them to the Internet.
We leave you an article with tips to improve the physical security of the devices.