A huge amount of networking devices are vulnerable to attacks because of poor implementation or configuration of the Network Address Translation – Port Mapping Protocol (NAT-PMP), researchers said.
Just around 1.2 million Internet-connected devices suffer from malicious port mapping manipulation and information disclosure vulnerabilities, said Jon Hart, a security researcher with Rapid7.
NAT-PMP is a UDP protocol deployed on NAT devices that allows users from a public network (i.e., the Internet) to access TCP or UDP services from a private network located behind the NAT device. NAT-PMP is in small office/home office (SOHO) routers and other networking devices.
NAT-PMP sees use on networks where clients end up trusted, so there aren’t any security mechanisms built into the protocol. Some implementations, however, do include some restrictions to prevent abuse.
All of the 1.2 million devices identified during Rapid7’s scans appear to disclose information on the NAT-PMP device, Hart said. About 88 percent of the devices allow denial-of-service (DoS) attacks against host services, and access to internal NAT client services. Over 1 million of the devices allow interception of external traffic, while around 30,000 allow interception of internal traffic.
The information disclosure issue exposes external IP addresses and ports, but the researcher said they pose relatively little risk. The other issues described by the security firm can end up exploited through malicious NAT-PMP port mapping manipulation.
For example, the interception of internal traffic can end up used to obtain information on sensitive internal services, such as DNS and HTTP/HTTPS administration. An attacker can also use port mapping to access services provided by clients behind the NAT device by spoofing NAT-PMP port mapping requests. A malicious actor can cause the device to enter a DoS state by requesting an external port mapping for a UDP or TCP service already listening on that port.
By leveraging the information disclosure flaw, Rapid7 was able to identify the location of vulnerable devices. Experts found affected devices in Argentina (145,866), the Russian Federation (133,126), China (119,043), Brazil (110,007), India (99,168), Malaysia (89,934), the United States (64,182), Mexico (50,662), Singapore (49,713) and Portugal (18,863).
Researchers believe most of the devices they have identified are vulnerable due to incorrect configurations of MiniUPnP, a lightweight Universal Plug and Play (UPnP) library used in a large number of devices.
Rapid7 has attempted to identify the companies whose products are vulnerable, but the task proved challenging. The security firm asked CERT/CC to handle the notification of potentially affected vendors and organizations. While no CVE identifiers ended up assigned for the security holes, CERT/CC has cataloged them as VU#184540.
“The vulnerabilities disclosed in this advisory are not theoretical, however how many devices on the public Internet are actually vulnerable to the more severe traffic interception issues is unknown. Vendors producing products with NAT-PMP capabilities should take care to ensure that flaws like the ones disclosed in this document are not possible in normal and perhaps even abnormal configurations,” Hart said. “ISPs and entities that act like ISPs should take care to ensure that the access devices provided to customers are similarly free from these flaws. Lastly, for consumers with NAT-PMP capable devices on your network, you should ensure all NAT-PMP traffic is prohibited on un-trusted network interfaces.”
After learning of the security issues uncovered by Rapid7, the MiniUPnP Project took some steps to protect users against the attacks described by researchers, Hart said.
Additional details on the NAT-PMP research are available on Rapid7’s blog.