Written by Samy Kamkar, Chief Security Officer at Openpath, based on his work with Armis researchers
In a nutshell, the vulnerability dubbed NAT Slipstreaming v2.0 (building on our earlier work of NAT Slipstreaming) allows an attacker to bypass a NAT (firewall/router) and connect to any TCP or UDP port across any system behind the NAT simply by a single user behind the firewall visiting a web page.
That web page then exposes the entire network to the attacker, revealing virtually all network services that were previously protected by the NAT.
In late 2020, we released the first version of NAT Slipstreaming which demonstrated how an attacker can remotely access any TCP/UDP service bound to a victim machine, bypassing the victim's NAT/firewall (arbitrary firewall pinhole control), just by the victim visiting a website.
Interestingly, this is not a vulnerability in any specific system, but rather takes advantage of independent features in different systems, primarily browsers WebRTC, TCP handshake packets, and network Application Layer Gateways (ALGs) + state tables built into NATs.
Further details can be found at https://samy.pl/slipstream.
Armis has also released an excellent technical explanation here: https://www.armis.com/natslipstreaming
After demonstrating this and urging users to disable unneeded ALGs, and swift work and communication between browser vendors and ourselves and immediate patches within the browsers, Ben and Gregory from Armis reached out to us to note a new technique they discovered that could augment the overall method by not only demonstrating an attack on the victim who visited the malicious site but also being able to attack any system on the network of the victim. Ben and Gregory are well known for other impressive research they’ve done such as the BlueBorne attack, which we at Openpath have been interested in as we are deeply involved in providing high security over traditionally insecure links such as Bluetooth, and are happy to note Openpath has never been susceptible to BlueBorne or any other known Bluetooth attacks due to our added layers of security.
We were also aware of other techniques to bypass the patch that had been developed by the browser vendors for the initial Slipstreaming method, and as this new attack was much more powerful, we immediately reached out to all major browser vendors requesting a private, coordinated disclosure. The vendors agreed to the criticality of the issue and worked together to release patches. Although the vulnerability is not technically in the browser, the severity was high enough that they agreed it made sense to quickly and quietly resolve the issue in a coordinated fashion. We were happy to work with the vendors to ensure effective and widespread patches before announcing further details.
We’re excited that this is now universally patched and can share more information.