Mr. Hellnbak has not proven the exploit legitimate, but rather has successfully tested a feature which allows for a fresh install to be easily managed. There is a feature called "allow first connection" on Nokia which allows for the very first connection to be connected and get it's keys imported. It can be disabled by any customer who finds that scary, but most do not. The person setting up the box is always the first one to connect, and after that only people with authentication keys can connect. If the attacker had supreme timing and connected in the interval that the software was installed and before it was managed, the person who set this up in the first place would get refused access and figure out what was happening. The reason why we added such a feature was to improve OOB with Nokia because there no easy way to get the initial public keys installed. If the feature is disabled OR if a legitimate administrator has simply connected at least once, the errant "skank" entry will be useless. At such point, starscream_skank would be refused a connection to the issDaemon for lack of public keys, that is unless they gain root or convince the real administrator to push the pubkey on their behalf. Also, we've had this impotent entry removed for months now. It's unfortunate that some security professionals still do not take the time to work through these issues with vendors through responsible vulnerability disclosure. In an asynchronous advisory from NMRC such as this, disinformation like this causes a lot of confusion to the end user, who we are all trying to protect. -----Original Message----- From: hellNbak [mailto:hellnbakat_private] Sent: Thursday, March 21, 2002 1:00 PM To: Rouland, Chris (ISSAtlanta) Cc: nmrcfolkat_private; bugtraqat_private; vulnwatchat_private; focus-idsat_private Subject: RE: [VulnWatch] NMRC Advisory - KeyManager Issue in ISS RealSecur e on Nokia Appliances On Thu, 21 Mar 2002, Rouland, Chris (ISSAtlanta) wrote: > > Please confirm that you are able to exploit this, without root accesss > to the IPSO box. Chris, if I set up my own console, why would I need root access to the IPSO box? If I simply set my machine name to starscream and my user to skank I am able to connect and push new keys generated by my console. I am unsure why you would post that "NMRC is unable to confirm that this can be exploited" without actually talking to me first. I just tested it, a second time, and yes, you can connect via the console and root access on the Nokia box is not an issue. The console connects to the control chanell and allows me to push new keys down using the deployment wizard which then allows me to set my new console as the "master controller" and gather alerts, modify policied etc...
This archive was generated by hypermail 2b30 : Thu Mar 21 2002 - 16:42:15 PST