Incorrect implementation of NAT-PMP in multiple devices

2014-10-23T00:00:00
ID VU:184540
Type cert
Reporter CERT
Modified 2015-06-29T18:58:00

Description

Overview

Many NAT-PMP devices are incorrectly configured, allowing them to field requests received on external network interfaces or map forwarding routes to addresses other than that of the requesting host, making them potentially vulnerable to information disclosure and malicious port mapping requests.

Description

CWE-200: Information Exposure

NAT-PMP is a port-mapping protocol in which a network address translation (NAT) device, typically a router, is petitioned by a trusted local network host to forward traffic between the external network and the petitioning host. As specified in RFC 6886, "The NAT gateway MUST NOT accept mapping requests destined to the NAT gateway's external IP address or received on its external network interface." Additionally, mapping requests "must" be mapped to the source address of the internal requesting host. When a NAT-PMP device fails to enforce these restrictions and is unsafely configured, it may accept malicious port mapping requests or disclose information about itself. Rapid7's report describes the scope of the problem and the vulnerabilities that may emerge from incorrect configurations and implementations NAT-PMP:

Vulnerability Summary

During our research, we identified approximately 1.2 million devices on the public Internet that responded to our external NAT-PMP probes. Their responses represent two types of vulnerabilities; malicious port mapping manipulation and information disclosure about the NAT-PMP device. These can be broken down into 5 specific issues, outlined below:

  * _Interception of Internal NAT Traffic: ~30,000 (2.5% of responding __devices)_
  * _Interception of External Traffic: ~1.03m (86% of responding devices)_
  * _Access to Internal NAT Client Services: ~1.06m (88% of responding devices)_
  * _DoS Against Host Services: ~1.06m (88% of responding devices)_
  * _Information Disclosure about the NAT-PMP device: ~1.2m (100% of responding devices)_

Rapid7 also indicates that incorrect configurations of miniupnpd are the likely culprit for most vulnerable instances. Miniupnpd is a light-weight UPnP daemon that also supports NAT-PMP and is widely available on all major platforms. It is possible for the internal and external network interfaces in miniupnpd to be interchangeably configured by implementers, which may explain how some devices are vulnerable.

Additional details may be found in the advisory from Rapid7.

Impact

A remote, unauthenticated attacker may be able to gather information about a NAT device, manipulate its port mapping, intercept its private and public traffic, access its private client services, and block its host services.


Solution

Configure NAT-PMP Securely

Developers and administrators implementing NAT-PMP should exercise care to ensure that devices are configured securely, specifically that

  1. the LAN and WAN interfaces are correctly assigned,
  2. NAT-PMP requests are only accepted on internal interfaces, and
  3. port mappings are only opened for the requesting internal IP address.

Update miniupnpd

Although the NAT-PMP vulnerabilities are not due to flaws in miniupnpd's code, an update has been released that more strictly enforces RFC 6886. As of version 1.8.20141022, miniupnpd discards NAT-PMP packets received on the WAN interface. The default configuration file, miniupnpd.conf, now contains additional comments to encourage more secure configurations.

Restrict Access

Deploy firewall rules to block untrusted hosts from being able to access port 5351/udp.

Disable NAT-PMP

Consider disabling NAT-PMP on the device if it is not absolutely necessary.


Vendor Information

184540

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Belkin, Inc. Affected

Notified: April 10, 2015 Updated: June 29, 2015

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

  • <http://www.belkin.com/us/support-article?articleNum=157352>

Grandstream __ Affected

Notified: September 23, 2014 Updated: October 28, 2014

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

According to Rapid7 advisory R7-2014-17, products of this vendor were identified as exhibiting potentially insecure NAT-PMP behavior.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Netgear, Inc. __ Affected

Notified: October 08, 2014 Updated: October 28, 2014

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

According to Rapid7 advisory R7-2014-17, products of this vendor were identified as exhibiting potentially insecure NAT-PMP behavior.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Radinet __ Affected

Notified: September 23, 2014 Updated: October 28, 2014

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

According to Rapid7 advisory R7-2014-17, products of this vendor were identified as exhibiting potentially insecure NAT-PMP behavior.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Speedifi __ Affected

Notified: September 23, 2014 Updated: October 28, 2014

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

According to Rapid7 advisory R7-2014-17, products of this vendor were identified as exhibiting potentially insecure NAT-PMP behavior.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Technicolor __ Affected

Notified: October 16, 2014 Updated: October 28, 2014

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

According to Rapid7 advisory R7-2014-17, products of this vendor were identified as exhibiting potentially insecure NAT-PMP behavior.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Tenda __ Affected

Notified: September 23, 2014 Updated: October 28, 2014

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

According to Rapid7 advisory R7-2014-17, products of this vendor were identified as exhibiting potentially insecure NAT-PMP behavior.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Ubiquiti Networks __ Affected

Notified: October 08, 2014 Updated: October 28, 2014

Statement Date: October 14, 2014

Status

Affected

Vendor Statement

We have analyzed and appears our firmware is not affected since version v5.5.4.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

According to Rapid7 advisory R7-2014-17, products of this vendor were identified as exhibiting potentially insecure NAT-PMP behavior.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

ZTE Corporation __ Affected

Notified: October 23, 2014 Updated: October 28, 2014

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

According to Rapid7 advisory R7-2014-17, products of this vendor were identified as exhibiting potentially insecure NAT-PMP behavior.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

ZyXEL __ Affected

Notified: October 08, 2014 Updated: October 28, 2014

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

According to Rapid7 advisory R7-2014-17, products of this vendor were identified as exhibiting potentially insecure NAT-PMP behavior.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Apple Inc. Not Affected

Notified: October 10, 2014 Updated: October 21, 2014

Statement Date: October 13, 2014

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

MikroTik __ Not Affected

Notified: September 23, 2014 Updated: October 27, 2014

Statement Date: October 24, 2014

Status

Not Affected

Vendor Statement

Thank you very much in concern for MikroTik products. Our RouterBOARDs are using MikroTik RouterOS and NAT-PMP is not implemented there. We are using UPnP for such function (it is not enabled by default).

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

View all 12 vendors View less vendors

CVSS Metrics

Group | Score | Vector
---|---|---
Base | 7.5 | AV:N/AC:L/Au:N/C:P/I:P/A:P
Temporal | 7.1 | E:F/RL:U/RC:C
Environmental | 5.3 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

  • <https://community.rapid7.com/community/metasploit/blog/2014/10/21/r7-2014-17-nat-pmp-implementation-and-configuration-vulnerabilities>
  • <https://tools.ietf.org/html/rfc6886>
  • <http://miniupnp.free.fr/>
  • <https://github.com/miniupnp/miniupnp/commit/16389fda3c5313bffc83fb6594f5bb5872e37e5e>
  • <https://github.com/miniupnp/miniupnp/commit/82604ec5d0a12e87cb5326ac2a34acda9f83e837>

Acknowledgements

Thanks to Tod Beardsley and Jon Hart of Rapid7, Inc, for reporting this vulnerability. Thanks to Thomas Bernard of the MiniUPnP project for his assistance in the coordination and remediation effort.

This document was written by Joel Land.

Other Information

CVE IDs: | None
---|---
Date Public: | 2014-10-21
Date First Published: | 2014-10-23
Date Last Updated: | 2015-06-29 18:58 UTC
Document Revision: | 39