Palo Alto Networks Security Advisories / PAN-SA-2021-0002

PAN-SA-2021-0002 Informational: PAN-OS: NAT slipstreaming v1.0 and v2.0 attacks

047910
Severity 0 · NONE
Attack Vector NETWORK
Attack Complexity LOW
Privileges Required NONE
User Interaction NONE
Scope UNCHANGED
Confidentiality Impact NONE
Integrity Impact NONE
Availability Impact NONE

Description

Network address translation (NAT) slipstreaming attacks v1.0 and v2.0 are network-based and they exploit weaknesses in web browsers and Application Level Gateways (ALGs) to expose internal network devices to an attacker.

The following threat prevention signatures prevent NAT slipstreaming attacks:

NAT Slipstreaming Detection (59667)

NAT Slipstreaming Detection (59668)

NAT Slipstreaming Detection (59669)

NAT Slipstreaming Detection (59671)

NAT Slipstreaming Detection (59672)

Product Status

VersionsAffectedUnaffected
PAN-OS Noneall

Required Configuration for Exposure

Cannot be exposed.

Severity: NONE

CVSSv3.1 Base Score: 0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N)

Weakness Type

Solution

The following threat prevention signatures block all known risks of NAT slipstreaming attacks:

NAT Slipstreaming Detection (59667)

NAT Slipstreaming Detection (59668)

NAT Slipstreaming Detection (59669)

NAT Slipstreaming Detection (59671)

NAT Slipstreaming Detection (59672)

A PAN-OS software upgrade is not required to mitigate NAT slipstreaming attacks.

Workarounds and Mitigations

If the threat prevention signatures cannot be applied or for additional protection:

Many web browsers include a security fix that prevents NAT slipstreaming attacks. These are known to include:

Chrome v87.0.4280.141 and later versions;

Microsoft’s Edge v87.0.664.75 and later versions;

Safari v14.0.3 and later versions;

Firefox v85.0 and later versions.

NAT Slipstreaming v2.0 attacks leverage H.323 and can be blocked by disallowing STUN application traffic in the PAN-OS appliance configuration.

Timeline

Added workaround for customers without a Threat Prevention subscription
Initial publication
© 2020 Palo Alto Networks, Inc. All rights reserved.