Information disclosure vulnerability in misconfigured/open NAT-PMP

Software Affected:

• SOHO routers Misconfigured NAT-PMP devices

Abstract:

NAT-PMP is a port-mapping protocol in which a network address translation (NAT) device, typically a router, is requested by a trusted local network host to forward traffic between the external network and the petitioning host. As specified in RFC 6886, "The NAT gateway MUST NOT accept mapping requests destined to the NAT gateway's external IP address or received on its external network interface." Additionally, mapping requests "must" be mapped to the source address of the internal requesting host. When a NAT-PMP device fails to enforce these restrictions and is unsafely configured, it may accept malicious port mapping requests or disclose information about itself.

Technical Description:

Hosts that have vulnerabilities emerging from incorrect configurations and implementations of NAT Port Mapping Protocol (NAT-PMP) may have NAT-PMP running and accessible on the Internet. Exposed NAT-PMP services have the potential to expose information about a client’s network on which this service is accessible. If NAT-PMP is incorrectly configured to set its external interface as its internal interface which the client uses as their gateway, then it is possible for remote attackers to intercept TCP or UDP traffic destined to the internal interface of a NAT-PMP device. Since the internal interface is controlled by the attacker now, then all further attacks such as DNS, HTTP/Scan can be exploited. Hence, remote, unauthenticated attacker may be able to gather information about a NAT device, manipulate its port mapping, intercept its private and public traffic, access its private client services, and block its host services.

Vulnerability Assessment:

To verify the vulnerability, it is advised to execute the command mentioned below from external network:

Command:

• "netcat -u [IP] 5351" and enter the control character ^@ [CTRL-@] twice

If indecipherable text appears, then the device probably has NAT-PMP exposed.

Countermeasures and Best practices for prevention:

• Configure NAT-PMP Securely: Administrators implementing NAT-PMP should ensure that devices are configured securely, specifically of following
• The LAN and WAN interfaces are correctly assigned,
• NAT-PMP requests are only accepted on internal interfaces
• Port mappings are only opened for the requesting internal IP address.
• Restrict Access: Deploy firewall rules to block untrusted hosts from being able to access port 5351/udp.
• Disable NAT-PMP: Consider disabling NAT-PMP on the device if it is not absolutely necessary.
• Update miniupnpd: Although the NAT-PMP vulnerabilities are not due to flaws in miniupnpd's code, an update has been released that more strictly enforces RFC 6886 such as the default configuration file, miniupnpd.conf, containing additional comments to encourage more secure configurations.

Solution:

Apply the best security practices available at:

• https://tools.ietf.org/html/rfc6886

References:

• https://community.rapid7.com/community/metasploit/blog/2014/10/21/r7-2014-17-nat-pmp-implementation-and-configuration-vulnerabilities
• https://tools.ietf.org/html/rfc6886
• http://miniupnp.free.fr/
• https://github.com/miniupnp/miniupnp/commit/16389fda3c5313bffc83fb6594f5bb5872e37e5e
• https://github.com/miniupnp/miniupnp/commit/82604ec5d0a12e87cb5326ac2a34acda9f83e837
• https://resources.infosecinstitute.com/topic/nat-pmp-vulnerability/
• https://www.kb.cert.org/vuls/id/184540