From hellnbak@nmrc.org Sat Mar 23 01:19:27 2002 From: hellNbak To: vulnwatch@vulnwatch.org Date: Wed, 20 Mar 2002 18:00:45 -0500 (EST) Subject: [VulnWatch] NMRC Advisory - KeyManager Issue in ISS RealSecure on Nokia Appliances _______________________________________________________________________________ I N F O R M A T I O N A N A R C H Y 2 K 0 2 www.nmrc.org/InfoAnarchy Nomad Mobile Research Centre A D V I S O R Y www.nmrc.org hellNBak (hellnbak@nmrc.org) 19March2002 _______________________________________________________________________________ Platforms : Nokia Appliances Application : RealSecure Network Intrusion Detection (NIDS) Version 6.0 Severity : Medium Synopsis -------- This advisory documents an issue when using RealSecure NIDS on Nokia appliances. It seems that during development, a test system named "starscream" and test user "skank" was used as it was left behind in the IPSO image in the ISS.ACCESS file as a KeyManager. There is the potential that this information, depending on the configuration of the NIDS, can be used to push new pubkey files to the sensor, reconfigure or take control of the NIDS daemon and daemon components. Details ------- When you install RealSecure on any platform a file named ISS.ACCESS is created and used for various configuration settings including the following lines; --ISS Access 6.0-- [\]; [\Roles]; [\Roles\KeyAdministrator\]; [\Roles\KeyAdministrator\machinename_username\]; [\Roles\KeyAdministrato\starscream_skank\]; [\Roles\MasterStatusManager\]; The Roles\KeyAdministrator line is used to determine the machine name and username of what ISS calls the KeyAdministrator. This user has the ability to manage the keys used when communicating with the daemon. This line is added during installation but the second line, \startscream_skank is present in the IPSO as a "default". This does not exist on any other platform or in the HIDS RealSecure product. The vulnerability lies in the fact that as a KeyAdministrator, you essentially can control the functions of the daemon including what events it monitors for and how it alerts. It is important to understand that this is only possible if RealSecure is configured to rely on the console system to push the necessary public keys to it, which is the default method of installation. If the Nokia Voyager web applet is used to install this IPSO you do not have the option to turn on authentication. Authentication in this case means that the administrator must, via sneakernet or other secure channels manually copy the necessary keys to the sensor. Mitigating Factors ------------------- The RealSecure NIDS sensor listens on two TCP ports, TCP-2998 is used to control the daemon while TCP-901 is used to monitor events. Obviously, you do not want to allow these ports to pass through your firewall. In an ideal situation, the NIDS sensor should have a shadow interface enabled to monitor and only communicate back to the console via a private mangement network that is not accessable by any other devices. It is also a good idea to not allow the NIDS sensor to accept new public keys directly from a console but only when copied manually to the system. Tested configurations --------------------- RealSecure 6.0 was tested, it is unknown if other versions are effected. ISS is aware of the issue and has removed this line from version 6.5. The version of Nokia software does not make a difference although this does not exist on any other platform such as Windows NT, or Solaris. Vendor Response --------------- Thanks to Ring Zero for taking this one to the vendor for me. Here is a portion of the email received back from ISS. ---------- Forwarded message ---------- Date: Wed, 20 Mar 2002 12:22:05 -0500 From: "Lamb, Kris (ISS Atlanta)" To: 'Ring Zero' Subject: RE: Anomaly in RealSecure As far as the starscream_skank, that was a QA box from the product development team that was accidentally left in the iss.access when IPSO shipped. We have already addressed this with Support and all customers have been notified to remove that entry. It was removed in IPSO 6.5. ----------------------------------------- Solution/Workaround ------------------- If you are running RealSecure version 6.0 and below you need to simply stop the NIDS daemon and edit the ISS.ACCESS file and remove the following line: [\Roles\KeyAdministrato\starscream_skank\]; If you installed the IPSO manually and turned on authentication you are unaffected but should probably remove the line anyways. Comments/Rants -------------- No NMRC advisory, let alone one written by me would be complete without some sort of rant so here it goes; Responsible Disclosure and the IETF: I applaud Chris Wysopal and Steve Christey for their efforts in attempting to bring a standard to vulnerability disclosure. I may not have agreed with the entire document but at least these two guys were willing to take input from the community as a whole. I hope the standard finds a home and eventually evolves to something acceptable by the research community as a whole. Trust me folks -- we do not want government, or any vendor to do this for us. Too bad the IETF doesn't have the balls or brains to deal with this issue. ISS: While their products can use some improvement, especially when attempting to implement it in a large mixed environment I am impressed with the level of cooperation and support being offered by ISS. I take back most of the bad things I have ever said about you........ :-) Greetz ------ Thanks to Ring Zero for bringing this issue to the attention of ISS. Copyright --------- This advisory is Copyright (c) 2002 NMRC - feel free to distribute it without edits but fear us if you use this advisory in any type of commercial endeavour. To be posted on: NMRC.ORG web site, VulnWatch, and Bugtraq _______________________________________________________________________________ -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- "I don't intend to offend, I offend with my intent" hellNbak@nmrc.org http://www.nmrc.org/~hellnbak -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- From hellnbak@nmrc.org Sat Mar 23 01:19:42 2002 From: hellNbak To: Vulnwatch@vulnwatch.org Cc: bugtraq@securityfocus.com Date: Thu, 21 Mar 2002 05:19:10 -0500 (EST) Subject: [VulnWatch] Re: NMRC Advisory - KeyManager Issue in ISS RealSecure Sorry for the added traffic but there was a typo in the original advisory. The offending line in the ISS.ACCESS file should have looked like this; [\Roles\KeyAdministrator\starscream_skank\]; I dropped the r. my bad... -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- "I don't intend to offend, I offend with my intent" hellNbak@nmrc.org http://www.nmrc.org/~hellnbak -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- ---------- Forwarded message ---------- Date: Wed, 20 Mar 2002 18:32:40 -0500 (EST) From: weasel@www.nmrc.org To: hellNbak Cc: nmrcfolk@nmrc.org Subject: Re: NMRC Advisory - KeyManager Issue in IS > [\Roles\KeyAdministrato\starscream_skank\]; Did you commit a typo and leave an 'r' out of "KeyAdministrator"? If not, does the incomplete role name in fact break the possiblility of exploit? From CRouland@iss.net Sat Mar 23 01:20:54 2002 From: "Rouland, Chris (ISSAtlanta)" To: Bugtraq@securityfocus.com, vulnwatch@vulnwatch.org, focus-ids@securityfocus.com Date: Thu, 21 Mar 2002 10:18:45 -0500 Subject: RE: NMRC Advisory - KeyManager Issue in ISS RealSecure on Nokia A ppliances This is a known flaw in RealSecure Network Sensor 6.0 build 6.0.2001.141 for Nokia IPSO. It was corrected early this year in build 6.0.2001.141d for IPSO. This flaw is not remotely exploitable. Root privileges are required to obtain public keys from the sensor to allow an initial console connection. NMRC has not been able to confirm that they are able to exploit this flaw. ISS notified users of the 6.0 IPSO sensor in February, and this issue has been documented in our public knowledgebase since February 6, 2002. --- Knowledgebase Article February 6, 2002 Improper Default Entry in iss.access file for RealSecure for Nokia 6.0 HOW BIG IS THE RISK? An administrator could grant escalated privileges to a console, allowing key administrator rights without specifically granting that right An attacker would need root access to the appliance, or would need assistance from an established key administrator to exploit this vulnerability This only affects RealSecure for Nokia This is a low risk vulnerability WHAT IS THE VULNERABILITY? There is a pre-defined Key Administrator included in the iss.access file, starscream_skank, installed by default in RealSecure for Nokia 6.0. An attacker would need a RealSecure 6.0 Console, setup using the machine name of starscream and the user name of skank, to generate the correct public encryption keys. The attacker would then need root access to the Nokia Sensor, in order to transfer the public keys from the Console to the Sensor's /Keys directory, to allow the initial Console connection. The attacker could then copy files to the Sensor's /Keys directory, using the RealSecure Console. Since this vulnerability can only be used in conjunction with root access to the Sensor, it's threat level is assessed by Internet Security Systems as very low. WHAT SYSTEMS ARE AT RISK? Only Nokia IPSO systems, running RealSecure for Nokia 6.0, build 6.0.2001.141 No other RealSecure Sensors are affected RECOMMENDATIONS The work-around is to remove the Key Administrator designation, starscream_skank, from the list of Key Administrators for RealSecure for Nokia 6.0 Sensors which were installed using build 6.0.2001.141 This build has been replaced with build 6.0.2001.141d, available for download here: https://www.iss.net/cgi-bin/download/customer/customer-select.cgi ADDITIONAL INFORMATION For additional information concerning this vulnerability, contact ISS Technical Support at, support@iss.net or 888-447-4861 COMMENTS: ISS received no notice of a security advisory from NMRC. In responsible vulnerability disclosure, the vendor works with the researcher to confirm fix availability (since Feb 02 in this case), edit the advisory for technical content and typographic errors, and to confirm exploitation of the flaw (unconfirmed). The only correspondence from NMRC follows (thread is, NMRC is looking for keys to 2 very old versions of RealSecure to find holes in it, and we are attempting to assist). Our current shipping version of RealSecure is 6.5, so the legitimate value of researching RealSecure 3.0 and 5.0 for flaws is questionable as well. -----Original Message----- From: Ring Zero [mailto:ringzero@www.nmrc.org] Sent: Wednesday, March 20, 2002 12:18 PM To: Lamb, Kris (ISS Atlanta) Cc: 'Phuzzy L0gik'; 'Simple Nomad' Subject: RE: Anomaly in RealSecure Hello Kris, Sorry it's been so long. I found some free time to resume testing on your Real Secure product. I ran some tests on version 6 but with no luck. We need version 5.0. We found a copy of version 3.0, could you send me a key? Or perhaps somehow give me a copy of version 5.0? I've been looking for weeks now and I can't find it anywhere! One other thing, why is [KeyManager\starscream_skank\;] installed by default on the NIDS installation for Nokia? Thanks RZ ------------------------------------------------------------- -------------------------------------------------------------- Chris Rouland Director / X-Force Internet Security Systems, Inc. http://xforce.iss.net crouland@iss.net From hellnbak@nmrc.org Sat Mar 23 01:21:21 2002 From: hellNbak To: "Rouland, Chris (ISSAtlanta)" Cc: nmrcfolk@nmrc.org, bugtraq@securityfocus.com, vulnwatch@vulnwatch.org, focus-ids@securityfocus.com Date: Thu, 21 Mar 2002 13:00:19 -0500 (EST) Subject: RE: [VulnWatch] NMRC Advisory - KeyManager Issue in ISS RealSecur e on Nokia Appliances On Thu, 21 Mar 2002, Rouland, Chris (ISSAtlanta) wrote: > > Please confirm that you are able to exploit this, without root accesss to > the IPSO box. Chris, if I set up my own console, why would I need root access to the IPSO box? If I simply set my machine name to starscream and my user to skank I am able to connect and push new keys generated by my console. I am unsure why you would post that "NMRC is unable to confirm that this can be exploited" without actually talking to me first. I just tested it, a second time, and yes, you can connect via the console and root access on the Nokia box is not an issue. The console connects to the control chanell and allows me to push new keys down using the deployment wizard which then allows me to set my new console as the "master controller" and gather alerts, modify policied etc...