Many NAT-PMP devices are incorrectly configured, allowing them to field requests received on external network interfaces or map forwarding routes to addresses other than that of the requesting host, making them potentially vulnerable to information disclosure and malicious port mapping requests.
CWE-200: Information Exposure
NAT-PMP is a port-mapping protocol in which a network address translation (NAT) device, typically a router, is petitioned by a trusted local network host to forward traffic between the external network and the petitioning host. As specified in RFC 6886, "The NAT gateway MUST NOT accept mapping requests destined to the NAT gateway's external IP address or received on its external network interface." Additionally, mapping requests "must" be mapped to the source address of the internal requesting host. When a NAT-PMP device fails to enforce these restrictions and is unsafely configured, it may accept malicious port mapping requests or disclose information about itself. Rapid7's report describes the scope of the problem and the vulnerabilities that may emerge from incorrect configurations and implementations NAT-PMP:
Rapid7 also indicates that incorrect configurations of miniupnpd are the likely culprit for most vulnerable instances. Miniupnpd is a light-weight UPnP daemon that also supports NAT-PMP and is widely available on all major platforms. It is possible for the internal and external network interfaces in miniupnpd to be interchangeably configured by implementers, which may explain how some devices are vulnerable.
Additional details may be found in the advisory from Rapid7.
A remote, unauthenticated attacker may be able to gather information about a NAT device, manipulate its port mapping, intercept its private and public traffic, access its private client services, and block its host services.
Configure NAT-PMP Securely
Although the NAT-PMP vulnerabilities are not due to flaws in miniupnpd's code, an update has been released that more strictly enforces RFC 6886. As of version 1.8.20141022, miniupnpd discards NAT-PMP packets received on the WAN interface. The default configuration file, miniupnpd.conf, now contains additional comments to encourage more secure configurations.
Thanks to Tod Beardsley and Jon Hart of Rapid7, Inc, for reporting this vulnerability. Thanks to Thomas Bernard of the MiniUPnP project for his assistance in the coordination and remediation effort.
This document was written by Joel Land.
|Date First Published:||2014-10-23|
|Date Last Updated:||2015-06-29 18:58 UTC|