Are Asus routers running ASUSWRT-Merlin affected by NAT Slipstreaming? Mitigations?

[ADFHogan]

I posted here previously about this - and it seems my post was interpreted as "general security" and then shifted off into another forum.

I've made this post more specific.

Samy Kamkar - NAT Slipstreaming v2.0

exploit NAT/firewalls to access TCP/UDP services bound to any system behind victim's NAT

samy.pl

... do we know if Asus routers running Merlin are vulnerable to this?
... if so, what mitigations can we deploy?

For now, I've turned off the ALGs that I'm not using to try and reduce the attack surface.

 

[ColinTaylor]

The author identified the following ALGs as potential candidates: sane (backup), sip (voip), pptp (vpn), and h323 (voip). He chose to concentrate on SIP as that seemed the most promising.

All four three of the relevant ALGs can be disabled on Asus routers in the NAT Passthrough options.

 

[itpp20]

Being more specific would help, 'all 4' does not list the 6 options or each impact of switching them off.

 

[ColinTaylor]

Being more specific would help, 'all 4' does not list the 6 options or each impact of switching them off.

Sorry, I should have said "all 3" as "sane" is not a router option. So all 3 are sip, pptp, and h323.

 

[itpp20]

Ok so lets discuss mitigation(s), (what effects to expect or not)

SIP and H.323 are not going to impact VOIP (at least not on my end, tested).
If anyone else can test this we can exclude side effects.

PPTP: this may effect old style (and obsolete) VPN's.

 

[itpp20]

Nist tracker: https://nvd.nist.gov/vuln/detail/CVE-2020-28041

 

[ColinTaylor]

Do bear in mind that he only investigated SIP. He never looked at PPTP or H.323.

 

[itpp20]

If its not going to affect services and it offers a potential risk (ALG) it should be off.

 

[ADFHogan]

What about FTP in Merlin?

Presumably FTP ALG is only required if PASV FTP not in use? Is it possible to turn off FTP one? Who still uses FTP these days?

 

[itpp20]

Nearly all IP cams use ftp and if they support smb it's mostly smbv1.

If ftp is off (under usb devices) is this port still listening? even if ftp is on, could we internally firewall this port(and does ftp still work)?

Also note the text at the top "...connection to pass through the router to the network clients", as I read this I am assuming the ftp server on the router is not a client, a ftp server running on a LAN device (desktop/laptop/nas) would be a valid client.

 

[Jeffrey Young]

What about FTP in Merlin?
View attachment 27531
Presumably FTP ALG is only required if PASV FTP not in use? Is it possible to turn off FTP one? Who still uses FTP these days?

@ColinTaylor actually gave a solution to this a week or so ago. I hate using this site's search feature, so here was the solution posted.

In the firewall-start script (assuming you are using Merlin), add the following;

rmmod nf_nat_ftp
rmmod nf_conntrack_ftp

Cheers

 

[mike37]

F

@ColinTaylor actually gave a solution to this a week or so ago. I hate using this site's search feature, so here was the solution posted.

In the firewall-start script (assuming you are using Merlin), add the following;

rmmod nf_nat_ftp
rmmod nf_conntrack_ftp

Cheers

FWIW I had to use "modprobe -r"; don't have rmmod on my AC-68u.

Thanks to ADFHog and all others on this short thread!!

 

[Jeffrey Young]

F


FWIW I had to use "modprob -r"; don't have rmmod on my AC-68u.

Thanks to ADFHog and all others on this short thread!!

Thanks for letting me know. I have the 86U, which is a vr 4.x kernal. THe 68U is a vr 2.x kernal. Added to my notes on the subject as I have a 68U as play/test router

 

[Wallace_n_Gromit]

Ok so lets discuss mitigation(s), (what effects to expect or not)

View attachment 27528

SIP and H.323 are not going to impact VOIP (at least not on my end, tested).
If anyone else can test this we can exclude side effects.

PPTP: this may effect old style (and obsolete) VPN's.

I was listening to NPR on my Amazon Echo when I disabled [PPTP], [H.323], and[ SIP]. I lost the National Public Radio stream on my Echo. After reenabling [H.323], the stream on my Echo device returned to normal.

ADDITIONAL NOTE: I then decided to disable [L2TP Passthrough], [IPSec Passthrough], and [RTSP Passthrough]. Disabling [RTSP Passthrough] ALSO caused my Amazon Echo to lose the National Public Radio stream I was listening to.

To mitigate this issue better, would you allow just [Enabled] or [Enabled + NAT helper]?

 

[Wallace_n_Gromit]

F


FWIW I had to use "modprob -r"; don't have rmmod on my AC-68u.

Thanks to ADFHog and all others on this short thread!!

I also have the RT-AC68U. What would the full entry look like when you add it to firewall-start? i.e. instead of:
(2 lines)
rmmod nf_nat_ftp
rmmod nf_conntrack_ftp
Do:
(1 line)
modprob -r

 

[ColinTaylor]

I also have the RT-AC68U. What would the full entry look like when you add it to firewall-start? i.e. instead of:
(2 lines)
rmmod nf_nat_ftp
rmmod nf_conntrack_ftp
Do:
(1 line)
modprob -r

It's modprobe not modprob. I use rmmod out of habit even though modprobe -r is meant to be better. Either should have worked though. As always, test them from the command line before implementing a script.

 

[mike37]

I used two lines. Added them after existing items in firewall-start:
modprobe -r nf_nat_ftp
modprobe -r nf_contrack_ftp

NOTE: check spellings. my earlier post lost the "e" at the end of modprobe

 

[Wallace_n_Gromit]

I used two lines. Added them after existing items in firewall-start:
modprobe -r nf_nat_ftp
modprobe -r nf_contrack_ftp

NOTE: check spellings. my earlier post lost the "e" at the end of modprobe

just entering the commands at the prompt yielded this:

ASUSWRT-Merlin RT-AC68U 384.19_0 Fri Aug 14 19:17:44 UTC 2020
XXXXXXXXXXXXXX@RT-AC68U-E870:/tmp/home/root# modprobe -r nf_nat_ftp
XXXXXXXXXXXXXX@RT-AC68U-E870:/tmp/home/root# modprobe -r nf_contrack_ftp
modprobe: module nf_contrack_ftp not found in modules.dep
XXXXXXXXXXXXXX@RT-AC68U-E870:/tmp/home/root#

that second command line didn't work for my RT-AC68U.

EDIT: after reviewing the prior Thread posts I realized there was a speeling eeror on contrack (which should be conntrack which now worked)

 

[pirx73]

FWIW I had to use "modprobe -r"; don't have rmmod on my AC-68u.

I do have rmmod on my AC-68U. Most likely installed by Entware.

 

[itpp20]

To mitigate this issue better, would you allow just [Enabled] or [Enabled + NAT helper]?

A nice article to read up on ALG:

SIP ALG and why it should be disabled on most routers | VoiceHost - UK VoIP Provider

SIP ALG and why it should be disabled on most routers

www.voicehost.co.uk

As far as I can find the 'helper' module is something needed around 2008 but as far as I understand the implementation is partly the reason why ALG in its core is flawed enabling slipstream hacks.
Ymmv.