Topic: Foundry Networks ServerIron (and possibly other Foundry products) have extremely poor TCP/IP sequence predictability Version: 5.1.10T12 (tested) and probably other versions including 6.0 (untested) Severity: High without workarounds Abstract ======== Foundry Networks sell a range of layer 2-7 switches, "ServerIron" and closely related products "BigIron", "FastIron II", "TurboIron", "FastIron Workgroup", "FastIron Backbone", and "NetIron". The main use for ServerIrons is to sit in front of one or more hosts and provide scalable, fault tolerant service, such as SMTP or DNS by faking IP addresses and distributing load among a farm of servers. The vulnerability is the ServerIron's management IP address exposes the ServerIron's rather poor TCP/IP implementation. The nmap rating for sequence predictability is "0 - trivial joke". An "early" paper on this issue dates back to 1985 (Morris [4]), and is the subject of a five year old CERT advisory [5]. With common IP spoofing/hijacking tools like "hunt", it is possible to craft an easy DoS; a more determined attacker can use commonly known techniques [1] to spoof or hijack sessions. Technical Details ================= The ServerIron management address exposes telnet and snmp access, and starting with version 6.0 of the firmware, a web management interface on port 80. Regardless of the security concerns posed by clear text management protocols, the management IP stack is poorly implemented. In fact, the increase in sequence numbering is not RFC compliant ([2],[3]) - even though the initial RFC [2] has inherently predictable ISN and not a desirable implementation. The ISS is incremented by 1 for each connection, and is thus easily spoofable and hijackable. The predictability exposes sideband information about when the switch is being used by other (possibly legitimate) users. The faked IP addresses have the predictability of the hosts behind the switch. For example, if the ServerIron is hosting an IP address w.x.y.z pointing to a farm of Linux 2.2.10 servers, the ISN predictability of IP address w.x.y.z is that of Linux 2.2.10. Solutions and Workarounds ========================= No solutions available as yet. Work around: Filter off telnet, http and SNMP access to the Foundry devices to only those management IP addresses you trust; or better yet, disable SNMP and the web interface (6.0 firmware), and completely filter off telnet access. Remote management access is then only available via serial console (which is hopefully secured from unauthorized access). Vendor contacted: Yes ===================== Sent first message: 3 Feb 2000 Reply received: 4 Feb 2000 Incident "closed": 8 Feb 2000 Sent offer to add to this advisory: 24 February 2000 Foundry Networks believes this issue to be a feature request and will address the issue in a forthcoming version (undisclosed version or timeline). >From the support person closing the incident: Since this is a request for a change in our current functionality, we are treating it as an enhancement request. Our current policy is that these should be directed through the sales organization. Revision History ================ 2000/02/28 - First release 2000/02/22 - initial draft More Information ================ [1] Information about ISS and ISR sequence prediction Excellent article by daemon9/route/infinity http://www.signaltonoise.net/library/ipsp00f.htm [2] RFC 793: TRANSMISSION CONTROL PROTOCOL http://sunsite.cnlab-switch.ch/ftp/doc/standard/rfc/7xx/793 [3] RFC 1948: Defending Against Sequence Number Attacks http://sunsite.cnlab-switch.ch/ftp/doc/standard/rfc/19xx/1948 [4] R.T. Morris, "A Weakness in the 4.2BSD UNIX TCP/IP Software", CSTR 117, 1985, AT&T Bell Laboratories, Murray Hill, NJ. [5] A 1995 CERT advisory, cites a 1989 paper by Morris based on his 1985 work http://www.cert.org/advisories/CA-5.01.IP.spoofing.attacks.and.hijacked.term inal.connections.html [6] Information about the hardware concerned: http://www.foundrynet.com/serverironspec.html Andrew van der Stock, Security Architect e-Secure Pty Ltd "Secure in a Networked World" Phone: +61 2 9438 4984 Fax: +61 2 9438 4986 Suite 201, 2-4 Pacific Hwy, Mobile: +61 412 532 963 St. Leonards NSW 2065 Australia http://www.e-Secure.com.au/ ACN 086 248 419 e-mail:A.vanderStock@e-Secure.com.au
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:37:39 PDT