Phenoelit Advisory [ Authors ] FX kim0 Phenoelit Group (http://www.phenoelit.de) http://www.phenoelit.de/stuff/Lucent_Brick.txt [ Affected Products ] Lucent LSMS 5.5 (Lucent Brick, Bridging VPN Firewall) Lucent Bug ID: Not assigned [ Vendor communication ] 06/28/02 Reply to inquiry regarding "who to notify" 06/29/02 Initial Notification to Brick team *Note-Initial notification by phenoelit includes a cc to cert@cert.org by default 07/02/02 Ack. of receipt by Lucent Brick team 07/06/02 Weekly follow-up by central POC at Lucent (Right on Time) 07/08/02 Additional tech-discussions 07/19/02 Notification of intent to post publically in apx. 7 days. 07/25/02 Notification that due to personnel changes at Lucent, our POC has changed. The new person is supposed to be contacting us... [ Overview ] The Lucent Brick VPN Firewall is a layer 2, NCSA, US Army, and US National Security Agency (NSA) Approved/Certified Firewall that operates on Inferno, an Embdedded Operating System. "Brick" devices come in many sizes from the SOHO Brick 20 to the Enterprise 1000(GiG). [ Description ] The Brick suffers from several design failures in handling of the ARP protocol. 1. It is possible to interrupt any connection between the Brick and critical devices such as the LSMS (Brick Management Server) by binding the IP Address of the device in question to the attackers interface and "pinging" the Brick or any address behind it. The Brick will immediately update its ARP cache and drop the connection, no matter where the attacker is located (internal/outside segment). This requires the "Floating MAC" setting to be turned on. 2. The Brick will forward any ARP request and response across all interfaces, regardless of the existing firewall rules. 3. All Bricks are identifiable during reconnaissance using the most basic of techniques (pinging all addresses in segment). The device that sends ARP requests for the attacker IP address is the Brick. [ Example ] 1. # man ping 2. # man arp 3. # for i in ´cat ipaddresses.txt´; do ping $i; done [ Solution ] None known at this time. [ end of file ]