Vulnerability Note VU#184540
Incorrect implementation of NAT-PMP in multiple devices
Many NAT-PMP devices are incorrectly configured, allowing them to field requests received on external network interfaces or map forwarding routes to addresses other than that of the requesting host, making them potentially vulnerable to information disclosure and malicious port mapping requests.
CWE-200: Information Exposure
NAT-PMP is a port-mapping protocol in which a network address translation (NAT) device, typically a router, is petitioned by a trusted local network host to forward traffic between the external network and the petitioning host. As specified in RFC 6886, "The NAT gateway MUST NOT accept mapping requests destined to the NAT gateway's external IP address or received on its external network interface." Additionally, mapping requests "must" be mapped to the source address of the internal requesting host. When a NAT-PMP device fails to enforce these restrictions and is unsafely configured, it may accept malicious port mapping requests or disclose information about itself. Rapid7's report describes the scope of the problem and the vulnerabilities that may emerge from incorrect configurations and implementations NAT-PMP:
During our research, we identified approximately 1.2 million devices on the public Internet that responded to our external NAT-PMP probes. Their responses represent two types of vulnerabilities; malicious port mapping manipulation and information disclosure about the NAT-PMP device. These can be broken down into 5 specific issues, outlined below:
Additional details may be found in the advisory from Rapid7.
A remote, unauthenticated attacker may be able to gather information about a NAT device, manipulate its port mapping, intercept its private and public traffic, access its private client services, and block its host services.
Configure NAT-PMP Securely
Although the NAT-PMP vulnerabilities are not due to flaws in miniupnpd's code, an update has been released that more strictly enforces RFC 6886. As of version 1.8.20141022, miniupnpd discards NAT-PMP packets received on the WAN interface. The default configuration file, miniupnpd.conf, now contains additional comments to encourage more secure configurations.
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Belkin, Inc.||Affected||10 Apr 2015||29 Jun 2015|
|Grandstream||Affected||23 Sep 2014||28 Oct 2014|
|Netgear, Inc.||Affected||08 Oct 2014||28 Oct 2014|
|Radinet||Affected||23 Sep 2014||28 Oct 2014|
|Speedifi||Affected||23 Sep 2014||28 Oct 2014|
|Technicolor||Affected||16 Oct 2014||28 Oct 2014|
|Tenda||Affected||23 Sep 2014||28 Oct 2014|
|Ubiquiti Networks||Affected||08 Oct 2014||28 Oct 2014|
|ZTE Corporation||Affected||23 Oct 2014||28 Oct 2014|
|ZyXEL||Affected||08 Oct 2014||28 Oct 2014|
|Apple Inc.||Not Affected||10 Oct 2014||21 Oct 2014|
|MikroTik||Not Affected||23 Sep 2014||27 Oct 2014|
CVSS Metrics (Learn More)
Thanks to Tod Beardsley and Jon Hart of Rapid7, Inc, for reporting this vulnerability. Thanks to Thomas Bernard of the MiniUPnP project for his assistance in the coordination and remediation effort.
This document was written by Joel Land.
- CVE IDs: Unknown
- Date Public: 21 Oct 2014
- Date First Published: 23 Oct 2014
- Date Last Updated: 29 Jun 2015
- Document Revision: 38
If you have feedback, comments, or additional information about this vulnerability, please send us email.