Many NAT-PMP devices are incorrectly configured, allowing them to field requests received on external network interfaces or map forwarding routes to addresses other than that of the requesting host, making them potentially vulnerable to information disclosure and malicious port mapping requests.
Description
CWE-200: Information Exposure NAT-PMP is a port-mapping protocol in which a network address translation (NAT) device, typically a router, is petitioned by a trusted local network host to forward traffic between the external network and the petitioning host. As specified in RFC 6886, "The NAT gateway MUST NOT accept mapping requests destined to the NAT gateway's external IP address or received on its external network interface." Additionally, mapping requests "must" be mapped to the source address of the internal requesting host. When a NAT-PMP device fails to enforce these restrictions and is unsafely configured, it may accept malicious port mapping requests or disclose information about itself. Rapid7's reportdescribes the scope of the problem and the vulnerabilities that may emerge from incorrect configurations and implementations NAT-PMP:
During our research, we identified approximately 1.2 million devices on the public Internet that responded to our external NAT-PMP probes. Their responses represent two types of vulnerabilities; malicious port mapping manipulation and information disclosure about the NAT-PMP device. These can be broken down into 5 specific issues, outlined below: Additional details may be found in the advisory from Rapid7. |
Impact
A remote, unauthenticated attacker may be able to gather information about a NAT device, manipulate its port mapping, intercept its private and public traffic, access its private client services, and block its host services. |
Solution
Developers and administrators implementing NAT-PMP should exercise care to ensure that devices are configured properly. |
Restrict Access |
Vendor Information (Learn More)
| Vendor | Status | Date Notified | Date Updated |
|---|---|---|---|
| Grandstream | Affected | 23 Sep 2014 | 23 Oct 2014 |
| MikroTik | Affected | 23 Sep 2014 | 23 Oct 2014 |
| Netgear, Inc. | Affected | 08 Oct 2014 | 23 Oct 2014 |
| Radinet | Affected | 23 Sep 2014 | 23 Oct 2014 |
| Speedifi | Affected | 23 Sep 2014 | 23 Oct 2014 |
| Technicolor | Affected | 16 Oct 2014 | 23 Oct 2014 |
| Tenda | Affected | 23 Sep 2014 | 23 Oct 2014 |
| Ubiquiti Networks | Affected | 08 Oct 2014 | 23 Oct 2014 |
| ZTE Corporation | Affected | 23 Oct 2014 | 23 Oct 2014 |
| ZyXEL | Affected | 08 Oct 2014 | 23 Oct 2014 |
| Apple Inc. | Not Affected | 10 Oct 2014 | 21 Oct 2014 |
If you are a vendor and your product is affected, let us know.
CVSS Metrics (Learn More)
| Group | Score | Vector |
|---|---|---|
| Base | 7.5 | AV:N/AC:L/Au:N/C:P/I:P/A:P |
| Temporal | 7.1 | E:F/RL:U/RC:C |
| Environmental | 5.3 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND |
References
- https://community.rapid7.com/community/metasploit/blog/2014/10/21/r7-2014-17-nat-pmp-implementation-and-configuration-vulnerabilities
- https://tools.ietf.org/html/rfc6886
- http://miniupnp.free.fr/
- https://github.com/miniupnp/miniupnp/commit/16389fda3c5313bffc83fb6594f5bb5872e37e5e
- https://github.com/miniupnp/miniupnp/commit/82604ec5d0a12e87cb5326ac2a34acda9f83e837
Credit
Thanks to Tod Beardsley and Jon Hart of Rapid7, Inc, for reporting this vulnerability.
This document was written by Joel Land.
Other Information
- CVE IDs: Unknown
- Date Public: 21 10월 2014
- Date First Published: 23 10월 2014
- Date Last Updated: 23 10월 2014
- Document Revision: 31
'취약점 정보1' 카테고리의 다른 글
| A Tale of Two Powerpoint Vulnerabilities (0) | 2014.10.26 |
|---|---|
| PHP Bug allows Integer overflow in unserialize() PHP, Patch Released (0) | 2014.10.25 |
| Cisco Non-IOS 제품군 TCP 취약점 보안 업데이트 권고 (0) | 2014.10.25 |
| Cisco Ironport WSA Telnetd Remote Code Execution Vulnerability (0) | 2014.10.23 |
| Vulnerability Inheritance in PLCs – CoDeSys V3 Edition (0) | 2014.10.22 |