August 2008 Archives
Wed Aug 27 17:02:29 2008
Perception of Vulnerabilities
Perception is an interesting thing. Since everyone apparently has their own, it is fairly hard to arrive at a common denominator. In today's world, media is the perception softening instance that decided what people see and what not. Using the media to reach a large amount of people is intentionally shaping their perception. If your goal is to make people do something specific, this is a highly effective approach. That's what happened with DNS. Every computer security blog on the planet posted statements about Kaminsky, Halvar and the Domain Name Resolution Protocol, some even unintentionally. The global perception is: this is extremely important. People talk about it, people patch their servers with a workaround and people think about the Internet's safety. Dan has accomplished his mission.
The Kaminsky DNS attack is definitively regarded as the most important vulnerability this year. This, I find highly interesting , as we have seen two other gigantic security failures already in 2008. Debian's NRNG (non-random number generator) is most certainly one of them. But honestly, raise your hands if you have even noticed SNMPv3. Anyone? I give you the quickest of run-downs:
- SNMPv3 uses HMACs over secret keys for authentication.
- The packet can carry a shortened HMAC for [fill in silly performance statement here] reasons.
- Most implementations implement their HMAC
match check as:
memcmp( myHMACbuffer, packetHMACbuffer, packetHMAClength )
- If "packetHMAClength" == 1, brute force requires 256 UDP packets.
What can an attacker do with this? SNMPv3 is used to manage routers - the routers that forward all your traffic around the world, including your DNS queries. Managing a router means being able to configure it; a.k.a. super user access. Attackers who can configure a router in your path can redirect everything, without you knowing, not just traffic that relies on name resolution.
We have been working with a customer on a security issue scoring system, to help level perceptions. We started off with CVSS, which deserves its own post some time. Let's just say we didn't stay with it very long. When you compare the three big vulnerabilities this year, here are the CVSS scores according to the National Vulnerability Database at NIST:
- Kaminsky's DNS: 9.4 (AV:N/AC:L/Au:N/C:N/I:C/A:C)
SNMPv3: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)(see below)
- Debian NRNG: 7.8 (High) (AV:N/AC:L/Au:N/C:C/I:N/A:N)
Interesting to note. So being able to own the entire infrastructure is less important than breaking the SSL certificates of banks, being less important than poisoning DNS. Is that the case, or just the perception?
What I am looking forward to is the hard factual data we will see in the penetration tests and incidents to come over the course of the next year (assumed there is not another disaster). It will tell us, what systems actually got patched to which extend. I don't expect to find many vulnerable Debian keys, I do expect to find many routers ownable by SNMPv3 and I have no idea about the DNS thing yet.
On a final side note, it was wonderful to sit down with Dan on the day he went public, drink German beer in Seattle and discuss this very topic of vulnerability perception (and by the way, he didn't tell me any details, not even after the beers). Dan tried something unprecedented with the way he handled this, a very brave thing to do. May history be a fair judge, the media won't be it.
The people over at NVD/NIST seem to have noticed that owning routers is potentially more dangerous than they initially thought. Accordingly, SNMPv3 got upgraded to a CVSS v2 score of 10.0 (High) (AV:N/AC:L/Au:N/C:C/I:C/A:C). Well done.