Vulnerability Details : CVE-2020-28041
The SIP ALG implementation on NETGEAR Nighthawk R7000 1.0.9.64_10.2.64 devices allows remote attackers to communicate with arbitrary TCP and UDP services on a victim's intranet machine, if the victim visits an attacker-controlled web site with a modern browser, aka NAT Slipstreaming. This occurs because the ALG takes action based on an IP packet with an initial REGISTER substring in the TCP data, and the correct intranet IP address in the subsequent Via header, without properly considering that connection progress and fragmentation affect the meaning of the packet data.
Products affected by CVE-2020-28041
- cpe:2.3:o:netgear:nighthawk_r7000_firmware:1.0.9.64_10.2.64:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-28041
9.64%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 95 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-28041
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:P/A:N |
8.6
|
2.9
|
NIST | |
6.5
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N |
2.8
|
3.6
|
NIST |
CWE ids for CVE-2020-28041
-
During installation, installed file permissions are set to allow anyone to modify those files.Assigned by: nvd@nist.gov (Primary)
References for CVE-2020-28041
-
https://news.ycombinator.com/item?id=24958281
The attack relies on the ALG ignoring the IP fragment offset in the UDP case onl... | Hacker NewsExploit;Third Party Advisory
-
https://samy.pl/slipstream/
Samy Kamkar - NAT SlipstreamingExploit;Third Party Advisory
-
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2020-0024
Security AdvisoryThird Party Advisory
-
https://github.com/samyk/slipstream
GitHub - samyk/slipstream: NAT Slipstreaming allows an attacker to remotely access any TCP/UDP services bound to a victim machine, bypassing the victim’s NAT/firewall, just by the victim visiting a weThird Party Advisory
-
https://news.ycombinator.com/item?id=24956616
It's not smuggling a SIP session request via HTTP headers - even if it didn't lo... | Hacker NewsExploit;Third Party Advisory
Jump to