Thu Mar 1 13:49:29 2007

Welcome back to the 90s

By now I have come to accept that around Y2K the music industry decided that innovation is no longer needed and they can well make enough money by reselling and covering pretty much every song ever written between 1960 and 1999. What's fascinating me is that vendors in the computer industry have come to the same conclusion regarding the security of their products. I can only see two potential reasons behind this:

  • The big vendors have come to realize that they can sell their products with lots of vulnerabilities in them as long as they appear reactive to vulnerability reports. Nobody gets sacked for buying IBM, a proverb once vent. The same might be true for Sun, Cisco and Symantec today.
  • Microsoft invested so much money in the security of their product line and the industry was always "us versus Microsoft", so they decided to kill the giant by going the other direction and strictly and stubbornly not caring about product security and quality (which, in fact, are very close to each other if not the same).

Congratulations to Sun Microsystems, you successfully moved the Internet over a decade back in time. As of today, we have a new worm spreading, exploiting an authentication vulnerability in telnet of all things! In Solaris (SunOS 5.10 and 5.11), you must know, there is no need to actually posses the password of a telnet user. All you need to do to get a shell with the privileges of the user "adm" is:

SomeLinux$ telnet -l "-fadm" my.poor.sun.isp.net

The same would work for root, but luckily the default installation of Solaris does not allow remote root telnet logins. Not only is this an ages old type of vulnerability, it's reintroduced by Sun into their latest operating system. How on earth can QA miss something like that? In 1995, this type of vulnerability hit a long list of UNIX vendors (see here). Therefore, when hacking around in their telnetd implementation, I would expect that at least someone would check if this new feature they are implementing might be a very bad idea indeed.

But Sun just picks up where Cisco is leading the pack right now. Let's take a look at a few of their recent publications:

cisco-sa-20070228-nam
NAMs communicate with the Catalyst system by using the Simple Network Management Protocol (SNMP). By spoofing the SNMP communication between the Catalyst system and the NAM an attacker may obtain complete control of the Catalyst system."

cisco-sa-20070214-pix
Multiple vulnerabilities are found in Cisco PIX 500 Series Security Appliances and the Cisco ASA 5500 Series Adaptive Security Appliances. They affect the following: Enhanced inspection of Malformed Hypertext Transfer Protocol (HTTP) traffic, Inspection of malformed Session Initiation Protocol (SIP) packets, Inspection of a stream of malformed Transmission Control Protocol (TCP) packets [...]

cisco-sa-20070213-iosips
The Intrusion Prevention System (IPS) feature set of Cisco IOSŪ contains several vulnerabilities. These include: Fragmented IP packets may be used to evade signature inspection, IPS signatures utilizing the regular expression feature of the ATOMIC.TCP signature engine may cause a router to crash resulting in a denial of service.

cisco-sa-20070124-crafted-tcp
The Cisco IOS Transmission Control Protocol (TCP) listener in certain versions of Cisco IOS software is vulnerable to a remotely-exploitable memory leak that may lead to a denial of service condition.

cisco-sa-20070124-crafted-ip-option
Cisco routers and switches running Cisco IOSŪ or Cisco IOS XR software may be vulnerable to a remotely exploitable crafted IP option Denial of Service (DoS) attack. Exploitation of the vulnerability may potentially allow for arbitrary code execution. The vulnerability may be exploited after processing an Internet Control Message Protocol (ICMP) packet, Protocol Independent Multicast version 2 (PIMv2) packet, Pragmatic General Multicast (PGM) packet, or URL Rendezvous Directory (URD) packet containing a specific crafted IP option in the packet's IP header.

cisco-sa-20070118-certs
The Cisco Security Monitoring, Analysis and Response System (CS-MARS) and the Cisco Adaptive Security Device Manager (ASDM) do not validate the Secure Sockets Layer (SSL)/Transport Layer Security (TLS) certificates or Secure Shell (SSH) public keys presented by devices they are configured to connect to.

cisco-sa-20070105-csacs
Certain versions of Cisco Secure Access Control Server (ACS) for Windows and the Cisco Secure ACS Solution Engine (here after both referred to as purely Cisco Secure ACS) are affected by multiple vulnerabilities that cause specific Cisco Secure services to crash. Two of the vulnerabilities may permit arbitrary code execution after exploitation of the specified vulnerability.

cisco-sa-20061025-csa
Cisco Security Agent (CSA) for Linux contains a denial of service vulnerability involving port scans. By performing a port scan against a system running a vulnerable version of CSA, it is possible to cause the system to become unresponsive. Cisco Unified CallManager (CUCM) and Cisco Unified Presence Server (CUPS) ship with a vulnerable CSA version.

I'm sorry this list gets so long, but I'm really trying to just focus on the glaringly silly ones. To sum it up, Cisco's security software and appliances crash when being presented with port scans or intentionally malformed packets. Duh! Hello Cisco! These are the devices your customers are paying a lot of money for to protect them against the exact threats they are vulnerable against! And a security analysis and response system that doesn't even validate any SSL certificate or SSH key? What did your QA exactly test under the functionality topic of authentication? Something along the lines of: "I logged in - check."?

At least the picture is consistent. Sun, shipping UNIX since 1982, reintroduces a vulnerability type that was considered extinct for more than a decade. Cisco, shipping IP routers since 1987, notices in 2007 that they still don't know how to correctly parse IPv4 options in a ping packet, even with their latest and greatest IOS XR.

So far, there have been no provable relations between a company's turnover, stock price and market share and their security track record. The only exception is of course Microsoft. I wonder if that's what is really needed to make the other big ones understand the enormous responsibility they have due to the cheer amount of today's daily life functionality depending on their code. After all, when looking at the professional and social life in today's Internet, it is indeed 2007 and not back in the 90s. Turn off all Cisco equipment on the Internet and try to do your daily job - it might get a little bit more difficult than usual.


Posted by FX | Permanent link | File under: rants