Sunday, July 04, 2021

Application Layer Gateways - Part III

In Part II, I discussed how certain applications are allowed to "tweak" the router so that traffic to different incoming ports is allowed.
This post is the final part of this discussion (at least for now).

Again, I will reference Steve Gibson's Security Now podcast, this time episode 804.

In this episode, Steve describes how a NAT slipstreaming attack allows a remote attacker to trick the NAT into creating NAT traversal mappings to ANY device on the internal network,

This isn't good.

Armis discovered that routers' Application Layer Gateways (ALGs) have even more issues.
WebRTC TURN (Traversal Using Relay around NAT) connections can be established by browsers over TCP to any destination port. The browsers restricted-ports list was not consulted by this logic, and was therefore bypassed.

These TURN connections are used by H.323, a VoIP protocol similar to SIP.

So what to do? I repeat the recommendation at the end of Part II. In your router, turn off as many of the ALG passthroughs that you can.

Good luck if you're using H.323.

No comments: