Lucene search

K
threatpostLindsey O'DonnellTHREATPOST:D8CFE3B24D4FA3063D4C8449727F909F
HistoryNov 18, 2020 - 5:37 p.m.

Google Chrome 87 Closes High-Severity 'NAT Slipstreaming' Hole

2020-11-1817:37:45
Lindsey O'Donnell
threatpost.com
33

Google has released patches for several high-severity vulnerabilities in its Chrome browser with the rollout of Chrome 87 for Windows, Mac and Linux users.

Overall, Google fixed 33 vulnerabilities in its latest version, Chrome 87.0.4280.66, which is being rolled out over the coming days. This includes one high-severity CVE (CVE-2020-16022) that could allow a remote attacker to bypass security restrictions and access any Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) port on a victimā€™s computer. This issue was disclosed on Oct. 31 by Samy Kamkar, security researcher and co-founder of Openpath, who called the attack ā€œNAT slipstreaming.ā€

ā€œSlipstreaming is easy to exploit as itā€™s essentially entirely automated and works cross-browser and cross-platform, and doesnā€™t require any user interaction other than visiting the victim site,ā€ Kamkar told Threatpost.

At a high level, an attacker could remotely exploit the flaw by persuading a victim to visit a specially crafted website (via social engineering and other tactics). The attacker would then be able to bypass security restrictions.

ā€œNAT Slipstreaming allows an attacker to remotely access any TCP/UDP service bound to a victim machine, bypassing the victimā€™s NAT/firewall (arbitrary firewall pinhole control), just by the victim visiting a website,ā€ Kamkar said in his analysis of the issue.

The attack specifically centralizes around Network Address Translation (NAT), which translates the IP addresses of computers in a local network to a single IP address. NAT allows a single device (like a router) to act as an agent between the Internet and a local network ā€“ meaning that a single unique IP address is required to represent an entire group of computers to anything outside their network.

In order to launch an attack, the victimā€™s device must also have the Application Level Gateway (ALG) connection tracking mechanism thatā€™s built into NATs. NAT Slipstreaming exploits the userā€™s browser in conjunction with ALG.

ā€œThis attack takes advantage of arbitrary control of the data portion of some TCP and UDP packets without including HTTP or other headers; the attack performs this new packet injection technique across all major modern (and older) browsers, and is a modernized version to my original NAT Pinning technique from 2010 (presented at DEFCON 18 + Black Hat 2010),ā€ said Kamkar.

Google said the issue here is caused by an insufficient policy enforcement in networking. However, Kamkar said he doesnā€™t consider NAT Slipstreaming to be technically a flaw as thereā€™s no actual ā€œbugā€ in browsers or routers and both are doing exactly as theyā€™re supposed to. ā€œRather itā€™s an unexpected side-effect of a complex interaction between the two systems thatā€™s being exploited,ā€ he told Threatpost.

Other browsers ā€“ including Mozilla Firefox and Chromium rendering engine Blink ā€“ have plans in the works to release their own updates addressing this problem.

Other High-Severity Flaws

Google released patches for several other high-severity vulnerabilities ā€“ however, as is typical for the browser, it stayed mum on the details of the bugs ā€œuntil the majority of users are updated with a fix.ā€

Other flaws include a use-after-free glitch (CVE-2020-16018) in the payments component of Chrome, reported by Man Yue Mo of GitHub Security Lab; as well as a use-after-free error in Googleā€™s PPAPI browser plug-in interface (CVE-2020-16014) reported by Rong Jian and Leecraso of 360 Alpha Lab.

Two high-severity ā€œinappropriate implementationsā€ were also discovered ā€“ one in the filesystem component (CVE-2020-16019) and one in the cryptohome component (CVE-2020-16020). Both were discovered by Rory McNamara.

And, heap buffer overflow bugs were also discovered in the UI (CVE-2020-16024) and clipboard (CVE-2020-16025) components. Both were reported by Sergei Glazunov of Google Project Zero.

This most recent Chrome update comes a week after two high-severity zero day vulnerabilities were disclosed in the Chrome desktop browser. The two flaws (CVE-2020-16013 and CVE-2020-16017) have been actively exploited in the wild, and allow an unauthenticated, remote attacker to compromise an affected system via the web. A stable channel update, 86.0.4240.198 for Windows, Mac and Linux, was released last week that addressed the flaws.

2020 Healthcare Cybersecurity Priorities: Data Security, Ransomware and Patching

Hackers Put Bullseye on Healthcare:On Nov. 18 at 2 p.m. EDT** find out why hospitals are getting hammered by ransomware attacks in 2020.Save your spot for this FREE webinar on healthcare cybersecurity priorities and hear from leading security voices on how data security, ransomware and patching need to be a priority for every sector, and why. Join us Wed., Nov. 18, 2-3 p.m. EDT for this**LIVE, limited-engagement webinar.

References