Vulnerability Note VU#184540
Incorrect implementation of NAT-PMP in multiple devices
Many NAT-PMP devices are incorrectly configured, allowing them to field requests received on external network interfaces or map forwarding routes to addresses other than that of the requesting host, making them potentially vulnerable to information disclosure and malicious port mapping requests.
CWE-200: Information Exposure
NAT-PMP is a port-mapping protocol in which a network address translation (NAT) device, typically a router, is petitioned by a trusted local network host to forward traffic between the external network and the petitioning host. As specified in RFC 6886, "The NAT gateway MUST NOT accept mapping requests destined to the NAT gateway's external IP address or received on its external network interface." Additionally, mapping requests "must" be mapped to the source address of the internal requesting host. When a NAT-PMP device fails to enforce these restrictions and is unsafely configured, it may accept malicious port mapping requests or disclose information about itself. Rapid7's report describes the scope of the problem and the vulnerabilities that may emerge from incorrect configurations and implementations NAT-PMP:
Rapid7 also indicates that incorrect configurations of miniupnpd are the likely culprit for most vulnerable instances. Miniupnpd is a light-weight UPnP daemon that also supports NAT-PMP and is widely available on all major platforms. It is possible for the internal and external network interfaces in miniupnpd to be interchangeably configured by implementers, which may explain how some devices are vulnerable.
Additional details may be found in the advisory from Rapid7.
A remote, unauthenticated attacker may be able to gather information about a NAT device, manipulate its port mapping, intercept its private and public traffic, access its private client services, and block its host services.
Configure NAT-PMP Securely
Although the NAT-PMP vulnerabilities are not due to flaws in miniupnpd's code, an update has been released that more strictly enforces RFC 6886. As of version 1.8.20141022, miniupnpd discards NAT-PMP packets received on the WAN interface. The default configuration file, miniupnpd.conf, now contains additional comments to encourage more secure configurations.
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Belkin, Inc.||Affected||10 Apr 2015||29 Jun 2015|
|Grandstream||Affected||23 Sep 2014||28 Oct 2014|
|Netgear, Inc.||Affected||08 Oct 2014||28 Oct 2014|
|Radinet||Affected||23 Sep 2014||28 Oct 2014|
|Speedifi||Affected||23 Sep 2014||28 Oct 2014|
|Technicolor||Affected||16 Oct 2014||28 Oct 2014|
|Tenda||Affected||23 Sep 2014||28 Oct 2014|
|Ubiquiti Networks||Affected||08 Oct 2014||28 Oct 2014|
|ZTE Corporation||Affected||23 Oct 2014||28 Oct 2014|
|ZyXEL||Affected||08 Oct 2014||28 Oct 2014|
|Apple Inc.||Not Affected||10 Oct 2014||21 Oct 2014|
|MikroTik||Not Affected||23 Sep 2014||27 Oct 2014|
CVSS Metrics (Learn More)
Thanks to Tod Beardsley and Jon Hart of Rapid7, Inc, for reporting this vulnerability. Thanks to Thomas Bernard of the MiniUPnP project for his assistance in the coordination and remediation effort.
This document was written by Joel Land.
- CVE IDs: Unknown
- Date Public: 21 Oct 2014
- Date First Published: 23 Oct 2014
- Date Last Updated: 29 Jun 2015
- Document Revision: 38
If you have feedback, comments, or additional information about this vulnerability, please send us email.