search menu icon-carat-right cmu-wordmark

CERT Coordination Center


Incorrect implementation of NAT-PMP in multiple devices

Vulnerability Note VU#184540

Original Release Date: 2014-10-23 | Last Revised: 2015-06-29

Overview

Many NAT-PMP devices are incorrectly configured, allowing them to field requests received on external network interfaces or map forwarding routes to addresses other than that of the requesting host, making them potentially vulnerable to information disclosure and malicious port mapping requests.

Description

CWE-200: Information Exposure

NAT-PMP is a port-mapping protocol in which a network address translation (NAT) device, typically a router, is petitioned by a trusted local network host to forward traffic between the external network and the petitioning host. As specified in RFC 6886, "The NAT gateway MUST NOT accept mapping requests destined to the NAT gateway's external IP address or received on its external network interface." Additionally, mapping requests "must" be mapped to the source address of the internal requesting host. When a NAT-PMP device fails to enforce these restrictions and is unsafely configured, it may accept malicious port mapping requests or disclose information about itself. Rapid7's report describes the scope of the problem and the vulnerabilities that may emerge from incorrect configurations and implementations NAT-PMP:

Vulnerability Summary

During our research, we identified approximately 1.2 million devices on the public Internet that responded to our external NAT-PMP probes.  Their responses represent two types of vulnerabilities; malicious port mapping manipulation and information disclosure about the NAT-PMP device.  These can be broken down into 5 specific issues, outlined below:

      • Interception of Internal NAT Traffic: ~30,000 (2.5% of responding devices)
      • Interception of External Traffic: ~1.03m (86% of responding devices)
      • Access to Internal NAT Client Services: ~1.06m (88% of responding devices)
      • DoS Against Host Services: ~1.06m (88% of responding devices)
      • Information Disclosure about the NAT-PMP device: ~1.2m (100% of responding devices)

Rapid7 also indicates that incorrect configurations of miniupnpd are the likely culprit for most vulnerable instances. Miniupnpd is a light-weight UPnP daemon that also supports NAT-PMP and is widely available on all major platforms. It is possible for the internal and external network interfaces in miniupnpd to be interchangeably configured by implementers, which may explain how some devices are vulnerable.

Additional details may be found in the advisory from Rapid7.

Impact

A remote, unauthenticated attacker may be able to gather information about a NAT device, manipulate its port mapping, intercept its private and public traffic, access its private client services, and block its host services.

Solution

Configure NAT-PMP Securely

Developers and administrators implementing NAT-PMP should exercise care to ensure that devices are configured securely, specifically that

    1. the LAN and WAN interfaces are correctly assigned,
    2. NAT-PMP requests are only accepted on internal interfaces, and
    3. port mappings are only opened for the requesting internal IP address.

    Update miniupnpd

    Although the NAT-PMP vulnerabilities are not due to flaws in miniupnpd's code, an update has been released that more strictly enforces RFC 6886. As of version 1.8.20141022, miniupnpd discards NAT-PMP packets received on the WAN interface. The default configuration file, miniupnpd.conf, now contains additional comments to encourage more secure configurations.

    Restrict Access

    Deploy firewall rules to block untrusted hosts from being able to access port 5351/udp.

    Disable NAT-PMP

    Consider disabling NAT-PMP on the device if it is not absolutely necessary.

    Vendor Information

    184540
    Expand all

    Belkin, Inc.

    Notified:  April 10, 2015 Updated:  June 29, 2015

    Status

      Affected

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Vendor References

    http://www.belkin.com/us/support-article?articleNum=157352

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Grandstream

    Notified:  September 23, 2014 Updated:  October 28, 2014

    Status

      Affected

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Addendum

    According to Rapid7 advisory R7-2014-17, products of this vendor were identified as exhibiting potentially insecure NAT-PMP behavior.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Netgear, Inc.

    Notified:  October 08, 2014 Updated:  October 28, 2014

    Status

      Affected

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Addendum

    According to Rapid7 advisory R7-2014-17, products of this vendor were identified as exhibiting potentially insecure NAT-PMP behavior.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Radinet

    Notified:  September 23, 2014 Updated:  October 28, 2014

    Status

      Affected

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Addendum

    According to Rapid7 advisory R7-2014-17, products of this vendor were identified as exhibiting potentially insecure NAT-PMP behavior.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Speedifi

    Notified:  September 23, 2014 Updated:  October 28, 2014

    Status

      Affected

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Addendum

    According to Rapid7 advisory R7-2014-17, products of this vendor were identified as exhibiting potentially insecure NAT-PMP behavior.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Technicolor

    Notified:  October 16, 2014 Updated:  October 28, 2014

    Status

      Affected

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Addendum

    According to Rapid7 advisory R7-2014-17, products of this vendor were identified as exhibiting potentially insecure NAT-PMP behavior.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Tenda

    Notified:  September 23, 2014 Updated:  October 28, 2014

    Status

      Affected

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Addendum

    According to Rapid7 advisory R7-2014-17, products of this vendor were identified as exhibiting potentially insecure NAT-PMP behavior.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Ubiquiti Networks

    Notified:  October 08, 2014 Updated:  October 28, 2014

    Statement Date:   October 14, 2014

    Status

      Affected

    Vendor Statement

    We have analyzed and appears our firmware is not affected since version v5.5.4.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Addendum

    According to Rapid7 advisory R7-2014-17, products of this vendor were identified as exhibiting potentially insecure NAT-PMP behavior.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    ZTE Corporation

    Notified:  October 23, 2014 Updated:  October 28, 2014

    Status

      Affected

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Addendum

    According to Rapid7 advisory R7-2014-17, products of this vendor were identified as exhibiting potentially insecure NAT-PMP behavior.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    ZyXEL

    Notified:  October 08, 2014 Updated:  October 28, 2014

    Status

      Affected

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Addendum

    According to Rapid7 advisory R7-2014-17, products of this vendor were identified as exhibiting potentially insecure NAT-PMP behavior.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Apple Inc.

    Notified:  October 10, 2014 Updated:  October 21, 2014

    Statement Date:   October 13, 2014

    Status

      Not Affected

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    MikroTik

    Notified:  September 23, 2014 Updated:  October 27, 2014

    Statement Date:   October 24, 2014

    Status

      Not Affected

    Vendor Statement

    Thank you very much in concern for MikroTik products.
    Our RouterBOARDs are using MikroTik RouterOS and NAT-PMP is not implemented
    there. We are using UPnP for such function (it is not enabled by default).

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.


    CVSS Metrics

    Group Score Vector
    Base 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P
    Temporal 7.1 E:F/RL:U/RC:C
    Environmental 5.3 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

    References

    Credit

    Thanks to Tod Beardsley and Jon Hart of Rapid7, Inc, for reporting this vulnerability. Thanks to Thomas Bernard of the MiniUPnP project for his assistance in the coordination and remediation effort.

    This document was written by Joel Land.

    Other Information

    CVE IDs: None
    Date Public: 2014-10-21
    Date First Published: 2014-10-23
    Date Last Updated: 2015-06-29 18:58 UTC
    Document Revision: 38

    Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.