The NAT Slipstreaming2.0 attack exploits the standard support for VOIP routing in NAT routers/firewalls to expose all devices on the internal network to attack from the internet.

A new variant of the NAT Slipstreaming attack has been published which extends the attack to abuse the H.323 protocol used by VOIP devices to manage call forwarding.  Specially crafted Javascript delivered by a malicious advert or webpage running on a browser behind the NAT router can trick the Application Layer Gateway in the router to open access to any device in the local network.  The WebRTC TURN connections can also be similarly abused to achieve similar results.

The attack is described in detail in a new report by Armis Security.  According the Samy Kamkar who developed the original attack vector:

“NAT Slipstreaming allows an attacker to remotely access any TCP/UDP service bound to a victim machine, bypassing the victim’s NAT/firewall (arbitrary firewall pinhole control), just by the victim visiting a website.”

In order to try to mitigate the risk, Google, Apple, Mozilla and Microsoft have released patches to Chrome( CVE-2020-16043), Safari( CVE-2021-1799), Firefox(CVE-2021-23961) and Edge (updated via Chromium) to try to prevent the NAT router from being exploited.  However, this will not stop specially crafted malware on any internal device from replicating the attack and tricking the router into opening the NAT/firewall to external traffic until the router firmware is updated to mitigate the attack vector.  According to the report: Enterprise-grade NATs/firewalls from Fortinet, Cisco and HPE are confirmed to be affected, while others are likely affected as well.

Network Administrators can mitigate the risk by disabling support for protocols they do not use on their network – thus reducing the attack surface of the router.  Segregating VOIP devices onto their own network segment can also protect the rest of the network by allowing H.323 to be disabled on the main network’s routers and firewalls.