Following the discovery of the NAT Slipstreaming 2.0 attack this week, Google says it will block Chrome traffic on ports 69, 137, 161, 1719, 1720, 1723, 6566, and 10080.

Google has blocked eight ports within the Chrome web browser to stop a new version of the attack called NAT Slipstreaming, the company’s engineers announced today.

The initial attack on NAT Slipstreaming was first disclosed on October 31, 2020, by Samy Kamkar, a well-known security detective.

This attack has been used to lure users to a malicious website where the JavaScript code will directly connect the victim’s device, exceeding the protections provided by firefighters and address translation tables (NAT).

An attacker can abuse this connection on the user’s system to launch an attack on devices that are available on the victim’s internal network.

The first type of NAT Slipstreaming attack violated the Session Initiation Protocol (SIP) protocol to establish this pinhole connection to devices in internal networks through ports 5060 and 5061.

Two weeks after the attack went public, Google responded to Kamkar’s discovery by blocking the two Channel 87 ports to prevent attackers from abusing the method, which the browser maker saw as a serious threat and easy to abuse.

Apple and Mozilla also sent similar blocks within Safari and Firefox weeks later.

But earlier this week, security researchers from the IoT security company announced that they were working with Kamkar to escalate the initial attacks with a new version they named NAT Slipstreaming 2.0.

This new version replaces SIP and hogs in the H.323 multimedia protocol to open similar channels within internal networks and bypassing logs and tables in NAT.

Google Chrome blocks eight ports against new NAT Slipstreaming attack
Image:Samy Kamkar

Armis investigators said the 2.0 variant of NAT Slipstreaming attacks was as powerful as ever and would allow the same phase of online-based attacks on devices commonly found only on internal LANs.

Ports 69, 137, 161, 1719, 1720, 1723, 6566, 10080 TO BE BLOCKED For Prevention

Earlier today, Google said it would block communications with port 1720, which uses the H.323 protocol, but seven other ports believed it could be similarly affected by similar NAT Slipstreaming attacks.

The other seven ports were 69, 137, 161, 1719, 1723, 6566, and 10080.

Any HTTP, HTTPS, or FTP connection through these ports will now fail, Google said today.

According to the Chrome feature status report, the block is already available to any user using the Chrome version 87.0.4280.117 and beyond.

It looks like updating the block list is done on a server case without bringing a separate Chrome update to end-users.

The Firefox and Microsoft Edge browsers also used NAT Slipstreaming 2.0 attack fixes as well. The Firefox version was shipped to Firefox 85 earlier this week as CVE-2021-23961, while Edge fixes are being exported as CVE-2020-16043 fixes.

Priyanshu Vijayvargiya

Founder and Editor-in-Chief of 'Virtualattacks Inc' Priyanshu Vijayvargiya is a cybersecurity analyst, Information Security professional, developer, and a white hat hacker.

Leave a Reply

Your email address will not be published. Required fields are marked *