October 3, 2023

Google has blocked eight additional ports inside the Chrome web browser in order to prevent a new variation of an attack named NAT Slipstreaming,

The attack worked by luring users on a malicious website where JavaScript code would establish a connection to a victim’s device directly, bypassing defenses provided by firewalls and network address translation (NAT) tables.

The initial version of the NAT Slipstreaming attack abused the Session Initiation Protocol (SIP) protocol to establish these pinhole connections to devices on internal networks via ports 5060 and 5061.

Google responded by blocking these two ports in Chrome 87 to prevent attackers from abusing this technique, which the browser maker deemed a severe threat and easy to abuse.

New NAT Slipstreaming attack variant discovered

The new version of 2.0 replaces SIP and piggybacks on the H.323 multimedia protocol to open the same tunnels inside internal networks and bypass firewalls and NAT tables which affects the internal network

Ports 69, 137, 161, 1719, 1720, 1723, 6566, 10080 to be blocked

Google said that it would block connections to port 1720, used by the H.323 protocol, but also seven other ports that they believe could also be abused in the same manner for other similar variations of the NAT Slipstreaming attack.

The other seven ports were 69, 137, 161, 1719, 1723, 6566, and 10080. HTTP, HTTPS, FTP connections via this port will blocked . Starting chrome version 87.0.4280.117 . Block done on server side so no update required at end user side

Firefox and Microsoft’s Edge browsers have also deployed a fix for the NAT Slipstreaming 2.0 attack as well. The Firefox patch was delivered in Firefox 85 earlier this week as CVE-2021-23961, while the Edge fix shipped as a fix for CVE-2020-16043.

Leave a Reply

%d bloggers like this: