PAN-SA-2021-0002 Informational: PAN-OS: NAT slipstreaming v1.0 and v2.0 attacks
Description
Network address translation (NAT) slipstreaming attacks v1.0 and v2.0 are network-based and they exploit weaknesses in web browsers and Application Level Gateways (ALGs) to expose internal network devices to an attacker.
The following threat prevention signatures prevent NAT slipstreaming attacks:
NAT Slipstreaming Detection (59667)
NAT Slipstreaming Detection (59668)
NAT Slipstreaming Detection (59669)
NAT Slipstreaming Detection (59671)
NAT Slipstreaming Detection (59672)
Product Status
| Versions | Affected | Unaffected |
|---|---|---|
| PAN-OS | None | All |
Required Configuration for Exposure
Cannot be exposed.
Severity: NONE
CVSSv3.1 Base Score: 0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N)
Solution
The following threat prevention signatures block all known risks of NAT slipstreaming attacks:
NAT Slipstreaming Detection (59667)
NAT Slipstreaming Detection (59668)
NAT Slipstreaming Detection (59669)
NAT Slipstreaming Detection (59671)
NAT Slipstreaming Detection (59672)
A PAN-OS software upgrade is not required to mitigate NAT slipstreaming attacks.
Workarounds and Mitigations
If the threat prevention signatures cannot be applied or for additional protection:
Many web browsers include a security fix that prevents NAT slipstreaming attacks. These are known to include:
Chrome v87.0.4280.141 and later versions;
Microsoft’s Edge v87.0.664.75 and later versions;
Safari v14.0.3 and later versions;
Firefox v85.0 and later versions.
NAT Slipstreaming v2.0 attacks leverage H.323 and can be blocked by disallowing STUN application traffic in the PAN-OS appliance configuration.