NAT slipstreaming - any relevance on SNWL?
BWC
Cybersecurity Overlord ✭✭✭
in Water Cooler
Hi all,
I came across this attack called "NAT Slipstreaming" which is quite interessting and I was thinking how it could affect a SonicWall Firewall?
Is this a more theoretical risk and does not affect us at all, or in the light of SonicOS 7 which is linux based, a real thing?
--Michael@BWC
Category: Water Cooler
0
Comments
Hello @BWC,
I am checking internally on this one. I will keep you posted.
Thanks!
Shipra Sahu
Technical Support Advisor, Premier Services
Reading more into this... from the author's own admission this is merely a 'modernized' version of a previous method he developed. I wouldn't exactly call it 'new'.
"This attack requires the NAT/firewall to support ALG (Application Level Gateways), which are mandatory for protocols that can use multiple ports (control channel + data channel) such as SIP and H323 (VoIP protocols), FTP, IRC DCC, etc."
Seeing that it requires ALG's enabled seems to me like this is directed at consumer-grade devices. "To do this, we'll want to reverse engineer the firmware from common routers." "...however if we can get unencrypted firmware from the manufacturers..." "We'll start with a common router, the Netgear Nighthawk R7000."
I never use ALGs on business firewalls, in fact some services specifically state not to use them! This doesn't seem very universal if the attacker is specifically looking at underlying code in firmware.
"Attacker can now connect to arbitrary TCP/UDP services running on victim." Arbitrary. Unless the attacker knows what services are running its becomes another guessing game.
While research like this is great and important, I don't think (most) Sonicwall firewalls would end up being attacked with this. I think one important line to note is "however if we can get unencrypted firmware from the manufacturers". I do not know if Sonicwall encrypts their firmware, but my guess is they do.
Hi @TKWITS
yeah, avoiding ALGs whenever possible, first thing I do on any Mikrotik deployment is disabling them. And having no ALGs is why we stick with SNWL in the first place.
The reason why I brought this up in context with SNWL was just because of the fact that SonicOS 7 is Linux based and maybe using some form of ALG for SIP or H.323 etc.
I was sure that could be easily clarified, but @shiprasahu93 did not reported back for now, but I'am optimistic nothing bad happens in the slipstream of a SNWL.
--Michael@BWC
Hi all,
just for the peace of mind, can someone of SNWL confirm or deny any impact, I would like to answer customer requests with a backed Vendor statement?
--Michael@BWC
Hello @BWC thank you for your patience as our teams look into this. We plan to release an advisory via https://psirt.global.sonicwall.com/vuln-list shortly. At the time of this post the short answer is "we are not vulnerable". Please understand that the PSIRT will be the source of truth.
Kind regards,
@micah - SonicWall's Self-Service Sr. Manager
Hi @Micah
perfect, that is what I'am looking for. I was a bit concerned because of the SIP ALG, which is actually called ALG in the TSR.
Stay safe.
--Michael@BWC
Hello @BWC , closing this thread off.
@micah - SonicWall's Self-Service Sr. Manager
Hi @Micah
there is some development in the World of NAT Slipstreaming and I think we can rely on that "2.0" is no issue as well, correct? Still no ALG, still no trouble.
--Michael@BWC