Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

NAT slipstreaming - any relevance on SNWL?

BWCBWC Cybersecurity Overlord ✭✭✭

Hi all,

I came across this attack called "NAT Slipstreaming" which is quite interessting and I was thinking how it could affect a SonicWall Firewall?



Is this a more theoretical risk and does not affect us at all, or in the light of SonicOS 7 which is linux based, a real thing?

--Michael@BWC

Category: Water Cooler
Reply

Comments

  • Hello @BWC,

    I am checking internally on this one. I will keep you posted.

    Thanks!

    Shipra Sahu

    Technical Support Advisor, Premier Services

  • TKWITSTKWITS Newbie ✭

    Reading more into this... from the author's own admission this is merely a 'modernized' version of a previous method he developed. I wouldn't exactly call it 'new'.

    "This attack requires the NAT/firewall to support ALG (Application Level Gateways), which are mandatory for protocols that can use multiple ports (control channel + data channel) such as SIP and H323 (VoIP protocols), FTP, IRC DCC, etc."

    Seeing that it requires ALG's enabled seems to me like this is directed at consumer-grade devices. "To do this, we'll want to reverse engineer the firmware from common routers." "...however if we can get unencrypted firmware from the manufacturers..." "We'll start with a common router, the Netgear Nighthawk R7000."

    I never use ALGs on business firewalls, in fact some services specifically state not to use them! This doesn't seem very universal if the attacker is specifically looking at underlying code in firmware.

    "Attacker can now connect to arbitrary TCP/UDP services running on victim." Arbitrary. Unless the attacker knows what services are running its becomes another guessing game.

    While research like this is great and important, I don't think (most) Sonicwall firewalls would end up being attacked with this. I think one important line to note is "however if we can get unencrypted firmware from the manufacturers". I do not know if Sonicwall encrypts their firmware, but my guess is they do.

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Hi @TKWITS

    yeah, avoiding ALGs whenever possible, first thing I do on any Mikrotik deployment is disabling them. And having no ALGs is why we stick with SNWL in the first place.

    The reason why I brought this up in context with SNWL was just because of the fact that SonicOS 7 is Linux based and maybe using some form of ALG for SIP or H.323 etc.

    I was sure that could be easily clarified, but @shiprasahu93 did not reported back for now, but I'am optimistic nothing bad happens in the slipstream of a SNWL.

    --Michael@BWC

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Hi all,

    just for the peace of mind, can someone of SNWL confirm or deny any impact, I would like to answer customer requests with a backed Vendor statement?

    --Michael@BWC

  • MicahMicah Administrator
    edited November 25

    Hello @BWC thank you for your patience as our teams look into this. We plan to release an advisory via https://psirt.global.sonicwall.com/vuln-list shortly. At the time of this post the short answer is "we are not vulnerable". Please understand that the PSIRT will be the source of truth.

    Kind regards,

    Self-Service Sr. Manager at SonicWall. Say "hi" by tagging me at @micah.

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Hi @Micah

    perfect, that is what I'am looking for. I was a bit concerned because of the SIP ALG, which is actually called ALG in the TSR.

    Stay safe.

    --Michael@BWC

Sign In or Register to comment.