[ISN] Patching the Net's Fatal Flaws

From: InfoSec News (isnat_private)
Date: Thu Feb 21 2002 - 01:53:29 PST

  • Next message: InfoSec News: "[ISN] Security Group Pinpoints Cisco Router Weakness"

    Forwarded from: bob <bobat_private>
    FEBRUARY 20, 2002
    By Alex Salkever
    Patching the Net's Fatal Flaws
    Recent research finds major holes in one of the Web's basic protocols.
    And if they aren't fixed, the consequences could be devastating
    Before the Web, computer viruses depended on the lowly floppy disk as
    their sole means of transmission. Now, thanks to widespread broadband
    connectivity, computer viruses can blossom into huge epidemics in no
    time, crashing networks and overwhelming IT staffs. So-called "worms"
    clog the Web with random scans, searching for vulnerable systems to
    corrupt or co-opt, tearing across the digital landscape in a matter of
    days or even hours. New hybrid worm-viruses, such as "Code Red,"  are
    even more insidious, using both e-mail and direct scans to spread
    their bandwidth-hogging packages to deface Web pages or erase critical
    So far, the scope of most of these attacks has been rather limited.
    That's not to say large chunks of the computing world haven't been
    affected. The "Love Bug" virus hit machines running Microsoft e-mail
    clients, potentially targeting 95% of the world's desktop computers.
    The "Ramen" worm tagged thousands of computers running Linux. The
    "Code Red" worm affected Microsoft's widely installed IIS Web-server
    software. But in the grand scope of the Net, these attacks and most
    others cut a relatively confined swathe.
    That reality may have changed on Feb. 12, when Oulu University's
    Secure Programming Group in Finland published a paper outlining major
    flaws in Simple Network Management Protocol. SNMP is a set of rules
    that allows computers and wired devices to communicate with each other
    via a common syntax of shared data-compression standards, among other
    technical minutiae.
    PERILS OF UBIQUITY.  It's also one of the most widely used data
    protocols. You can find it on diverse operating systems and classes of
    devices, from Dell desktops to Cisco routers to Sun workstations. "You
    look at SNMP, and it's ubiquitous. It's on backbone routers. It's on
    switches. It's on desktops. It's on servers. It's on every single
    platform," says Stuart McClure, president and chief technology officer
    of security consultancy and software company Foundstone.
    That ubiquity raises the specter of a massive vulnerability on the Net
    and larger questions about the relative safety of the common protocols
    that create a seamless system of data sharing. Many experts now say
    its time to shore up these protocols and ensure they are safe. The
    alternative could be wide-ranging and extremely damaging Internet
    attacks in the future. "We need to do this with all protocols. We also
    need to establish some sort of standardization which tells management
    quickly and simply whether or not they are employing any obviously
    insecure protocols," says Russ Cooper, an engineer with
    computer-security provider TruSecure and an expert on Microsoft NT
    security issues.
    SNMP is only one of a handful of ubiquitous protocols. Others include
    TCP/IP, the basic data protocol that enables computers to transport
    and receive information over the Web, and UDP, a basic protocol used
    to identify remotely which applications are running on a system. These
    protocols are designed to work across platforms. Whether you use a Mac
    or an IBM mainframe, TCP/IP is pretty much standard.
    DROP THE NET?  Most of these protocols are based on architectures from
    the early days of the Internet, when security was hardly a concern
    amongst the small community of scientists and academicians that
    peopled the early Web. Since they were designed more to facilitate
    communication than maximize security, critics have long held that
    these protocols are the soft underbelly of the Net.
    That was precisely the assumption of the Oulu University group when
    they set out on a project to poke holes in these standards.  
    Naturally, they decided to take a whack at SNMP. So they tested 12
    separate Internet devices by flooding them with SNMP requests far in
    excess of what would normally occur on a network.
    Not a single one of the devices emerged unscathed. The researchers
    were able to crash them and, in some cases, break into them and
    remotely take control of the devices.
    The implications of these findings are staggering. While the test
    group only represented a small sample of the thousands of types of
    systems that connect to the Net, the results implied that SNMP
    weakness might well be as ubiquitous as the protocol itself. "It
    affects hundreds of different types of computers and network
    equipment. A large-scale attack against this vulnerability could drop
    the Internet," says Bruce Schneier, chief technology officer of
    Counterpane Internet Security.
    SPINAL TAP.  Others see a possible outcome nearly as chilling were
    someone to use the SNMP weakness to take control of the backbone
    routers that guide the huge flow of data over fiber-optic networks.
    They could then theoretically direct masses of data into black holes,
    or redirect surfers to some other site instead of their intended
    "Once you actually control a piece of the infrastructure, you have
    quite a bit more capability and power. No longer are you limited to
    controlling a single host. You can take an entire worldwide enterprise
    off the network," says Craig Labovitz, director of network
    architecture at Arbor Networks, a Waltham, Mass., company that builds
    equipment to stop the "Denial of Service"  attacks that can cut off
    public access to Web sites under an avalanche of bogus data requests.
    Ironically, vendors have known that SNMP was not safe since last
    summer. The release of the Oulu paper, however, sealed any doubts
    about the urgency of creating patches for SNMP on various platforms
    and software systems. Currently vendors and IT staffs alike are
    scrambling to make sure that their networks are SNMP safe, top to
    bottom. Vendors have been pretty good about supplying patches for the
    SNMP hole since the research results were announced on Feb. 12. Still,
    they didn't seem so concerned last summer.
    FOUNDATION OF SAND.  So far, the fallout has been minimal. Major
    attacks using the SNMP hole have failed to materialize. That doesn't
    mean they won't happen, though. In fact, the National Infrastructure
    Protection Center and the CERT Response Center, two of the premier
    Federally-funded computer-security watchdogs, are already warning
    about automated software tools that prey on the SNMP hole.
    That might be jumping the gun. But vendors and network engineers had
    better address this problem -- and soon. If they don't, these cracks
    in the foundations of Net architecture could indeed bring the whole
    zstructure down.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Thu Feb 21 2002 - 05:08:08 PST