Connections to HTTP, HTTPS or FTP servers on ports 69, 137, 161, 1719, 1720, 1723 or 6566 will fail. This is a mitigation for the NAT Slipstream 2.0 attack: https://www.armis.com/resources/iot-security-blog/nat-slipstreaming-v2-0-new-attack-variant-can-expose-all-internal-network-devices-to-the-internet/. It helps developers by keeping the web platform safe for users.
Motivation
The NAT Slipstream 2.0 attack is a kind of cross-protocol request forgery which permits malicious internet servers to attack computers on a private network behind a NAT device. The attack depends on being able to send traffic on port 1720 (H.323). To prevent future attacks, this change also blocks several other ports which are known to be inspected by NAT devices and may be subject to similar exploitation.
Specification
Status in Chromium
Enabled by default in:
- Chrome for desktop release 87
- Chrome for Android release 87
Consensus & Standardization
- Shipped/Shipping
- Shipped/Shipping
- Shipped/Shipping
- No signals
Owner
Last updated on 2021-01-28
Comments
HTTP servers using one of the listed ports will be inaccessible. They will have to be modified to run on different ports, and all referring urls updated. Legitimate use of these ports for HTTP servers is rare. This change has already shipped in a point release 87.0.4280.117. At the time the security issue was not disclosed, so the intent to ship is being sent after shipping.