Is your home or office internet gateway one of '1.2 MILLION' wide open to hijacking?

Doublecheck your NAT-PMP settings now

13 Reg comments Got Tips?

Hundreds of thousands of routers, firewalls and gateways used by small offices and homes are said to be vulnerable to hijacking due to bungled NAT settings.

The networking devices are, we're told, commonly misconfigured to allow remote attackers to reprogram how network traffic flows to PCs, servers, tablets and other machines.

The at-risk hardware acts as a gateway between a local network and the wider internet, and uses NAT-PMP (Network Address Translation Port Mapping Protocol) to configure how traffic from the outside world reaches machines on the LAN. For example, a computer on the local network can send a NAT-PMP request to map HTTP traffic from the internet to a web server on the LAN.

But it turns out these gateways typically accept NAT-PMP commands from the public internet as well, without authentication, due to configuration blunders.

This allows miscreants to redirect packets passing through the NAT device to their eavesdropping systems, as well as opening up public access to internal hosts and services on the private side of the NAT device, and so on.

These findings are according to security biz Rapid7, which says it's found 1.2 million publicly accessible devices that have insecure NAT-PMP settings. There's no solid evidence that these are being widely exploited.

Even so, action needs to be taken by the gateways' owners sooner rather than later – not least because exploitation only requires only a "basic knowledge of the protocol," according to Rapid7.

Anyone who has a NAT-PMP-capable device on their network should ensure that all NAT-PMP traffic is "prohibited on untrusted network interfaces/" ISPs also have a responsibility in supplying kit that is free from NAT-PMP flaws, added Rapid7 – which is best known for the Metasploit penetration testing tool.

Jon Hart, a senior security researcher at Rapid7, has put together a blog, complete with diagrams and code snippets, explaining the issue in more depth, here. ®


Keep Reading

US-CERT lists the 10 most-exploited security bugs and, yeah, it's mostly Microsoft holes people forgot to patch

Update, update, update. Plus: Flash, Struts, Drupal also make appearances

Super Cali COVID count is somewhat out of focus, server crash and expired cert makes numbers quite atrocious

Computer glitch followed by senior public health resignation in Golden State

Fake Zoom alerts and dodgy medical freebies among COVID-cracks detected by Taiwan's CERT

Phishers claimed to be from 'National Health Commission', which exists in mainland China but not Taiwan

Bad news: Windows security cert SNAFU exploits are all over the web now. Also bad: Citrix gateway hole mitigations don't work for older kit

Vid Good news: There is none. Well, apart from you can at least fully patch the Microsoft blunder

Old-school security hole perfect for worms and remote hijackings found lurking in Windows Server DNS code

Mega Patch Tuesday You'll want to patch that – and all these other bugs fixed by Microsoft, Oracle, Adobe, VMware, SAP, Google

Rabobank security cert expires and gives its Australian Android app a case of internet-blindness

Needs bank staff to sort things out, but a certain virus means the contact centre is rather busy right now

Shared memory vulnerability in IBM's Db2 database could let nefarious insiders wreak havoc – so get patching

Lack of protections around trace facility gives local users read and write access dangles £400k over makers of IoT Things: Go on, let's see how you'd make a security cert scheme

And if you win, we'll make it into a kitemark

Biting the hand that feeds IT © 1998–2020