Advisory: Foundry Networks ServerIron TCP/IP sequence

From: Andrew van der Stock (a.vanderstock@e-secure.com.au)
Date: Sun Feb 27 2000 - 17:20:11 PST

Next message: suidat_private: "EZ Shopper 3.0 shopping cart CGI remote command execution"

Previous message: Mikael Olsson: "Re: How the password could be recover using FTP Explorer's"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Topic:	Foundry Networks ServerIron (and possibly other Foundry products)
		have extremely poor TCP/IP sequence predictability
Version:	5.1.10T12 (tested) and probably other versions including 6.0
(untested)
Severity:	High without workarounds


Abstract
========

Foundry Networks sell a range of layer 2-7 switches, "ServerIron" and
closely related products "BigIron", "FastIron II", "TurboIron", "FastIron
Workgroup", "FastIron Backbone", and "NetIron". The main use for ServerIrons
is to sit in front of one or more hosts and provide scalable, fault tolerant
service, such as SMTP or DNS by faking IP addresses and distributing load
among a farm of servers.

The vulnerability is the ServerIron's management IP address exposes the
ServerIron's rather poor TCP/IP implementation. The nmap rating for sequence
predictability is "0 - trivial joke". An "early" paper on this issue dates
back to 1985 (Morris [4]), and is the subject of a five year old CERT
advisory [5].

With common IP spoofing/hijacking tools like "hunt", it is possible to craft
an easy DoS; a more determined attacker can use commonly known techniques
[1] to spoof or hijack sessions.


Technical Details
=================

The ServerIron management address exposes telnet and snmp access, and
starting with version 6.0 of the firmware, a web management interface on
port 80. Regardless of the security concerns posed by clear text management
protocols, the management IP stack is poorly implemented. In fact, the
increase in sequence numbering is not RFC compliant ([2],[3]) - even though
the initial RFC [2] has inherently predictable ISN and not a desirable
implementation.

The ISS is incremented by 1 for each connection, and is thus easily
spoofable and hijackable. The predictability exposes sideband information
about when the switch is being used by other (possibly legitimate) users.

The faked IP addresses have the predictability of the hosts behind the
switch. For example, if the ServerIron is hosting an IP address w.x.y.z
pointing to a farm of Linux 2.2.10 servers, the ISN predictability of IP
address w.x.y.z is that of Linux 2.2.10.


Solutions and Workarounds
=========================

No solutions available as yet.

Work around:

Filter off telnet, http and SNMP access to the Foundry devices to only those
management IP addresses you trust; or better yet, disable SNMP and the web
interface (6.0 firmware), and completely filter off telnet access. Remote
management access is then only available via serial console (which is
hopefully secured from unauthorized access).


Vendor contacted: Yes
=====================

Sent first message: 3 Feb 2000
Reply received: 4 Feb 2000
Incident "closed": 8 Feb 2000
Sent offer to add to this advisory: 24 February 2000

Foundry Networks believes this issue to be a feature request and will
address the issue in a forthcoming version (undisclosed version or
timeline).

>From the support person closing the incident:

	Since this is a request for a change in our current functionality,
	we are treating it as an enhancement request. Our current policy
	is that these should be directed through the sales organization.


Revision History
================

	2000/02/28 - First release
	2000/02/22 - initial draft


More Information
================

[1] Information about ISS and ISR sequence prediction
    Excellent article by daemon9/route/infinity
    http://www.signaltonoise.net/library/ipsp00f.htm

[2] RFC 793: TRANSMISSION CONTROL PROTOCOL
    http://sunsite.cnlab-switch.ch/ftp/doc/standard/rfc/7xx/793

[3] RFC 1948: Defending Against Sequence Number Attacks
    http://sunsite.cnlab-switch.ch/ftp/doc/standard/rfc/19xx/1948

[4] R.T. Morris, "A Weakness in the 4.2BSD UNIX TCP/IP Software",
    CSTR 117, 1985, AT&T Bell Laboratories, Murray Hill, NJ.

[5] A 1995 CERT advisory, cites a 1989 paper by Morris based on his 1985
work

http://www.cert.org/advisories/CA-5.01.IP.spoofing.attacks.and.hijacked.term
inal.connections.html

[6] Information about the hardware concerned:
    http://www.foundrynet.com/serverironspec.html

Andrew van der Stock, Security Architect e-Secure Pty Ltd
"Secure in a Networked World"            Phone: +61 2 9438 4984  Fax: +61 2
9438 4986
Suite 201, 2-4 Pacific Hwy,              Mobile: +61 412 532 963
St. Leonards NSW 2065 Australia          http://www.e-Secure.com.au/
ACN 086 248 419
e-mail:A.vanderStock@e-Secure.com.au

Next message: suidat_private: "EZ Shopper 3.0 shopping cart CGI remote command execution"
Previous message: Mikael Olsson: "Re: How the password could be recover using FTP Explorer's"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:37:39 PDT