Check Point Response to NAT Slipstreaming (CVE-2020-28041)

Symptoms

• On October 31, 2020, a new RCE vulnerability named NAT Slipstreaming was published by Samy Kamkar at <https://samy.pl/slipstream/&gt;.
• The vulnerability, which later got the ID CVE-2020-28041, was reported about Netgear Nighthawk R7000. Yet, Check Point started looking into it to make sure that we are not affected as well.

Cause

The attack involves several vectors - Local IP disclosure, max MTU (UDP and TCP) calculation and leveraging a SIP parser weakness in fragmented HTTP packets which enables to “Slipstream” a legitimate SIP connection in an HTTP POST request generated by the victim’s browser.

The full description of the attack can be read at: <https://samy.pl/slipstream/&gt;

Solution

Check Point Security Gateways (as well as the rest of Check Point products) are not vulnerable to the NAT Slipstreaming attack.

Check Point gateways handle the traffic as a whole and therefore this would result with an invalid SIP packet. This, of course, we block as we expect a specific format that does not apply to this injection technique.

You can use Check Point IPS protection to protect vulnerable NAT devices behind Check Point Security Gateway.