Phenoelit Advisory 0815 ++ -- Brick

From: kim0 (kim0at_private)
Date: Sat Jul 27 2002 - 03:17:45 PDT

Next message: kim0: "Phenoelit Advisory 0815 ++ /+ HP ProCurve"

Previous message: kim0: "Phenoelit Advisory #0815 ++-+ dp_300 (DLINK)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-- 
            kim0   <kim0at_private>
        Phenoelit (http://www.phenoelit.de)
90C0 969C EC71 01DC 36A0  FBEF 2D72 33C0 77FC CD42


Phenoelit Advisory <wir-haben-auch-mal-was-gefunden #0815 ++->

[ Authors ]
	FX		<fxat_private>
	kim0 		<kim0at_private>	

	Phenoelit Group	(http://www.phenoelit.de)
	http://www.phenoelit.de/stuff/Lucent_Brick.txt

[ Affected Products ]
	Lucent    
			LSMS 5.5 (Lucent Brick, Bridging VPN Firewall)

	Lucent Bug ID: 	Not assigned

[ Vendor communication ]
	06/28/02	Reply to inquiry regarding "who to notify"
        06/29/02        Initial Notification to Brick team
                        *Note-Initial notification by phenoelit
                        includes a cc to certat_private by default
        07/02/02        Ack. of receipt by Lucent Brick team
        07/06/02        Weekly follow-up by central POC at
                        Lucent (Right on Time)
        07/08/02        Additional tech-discussions
        07/19/02        Notification of intent to post publically
                        in apx. 7 days.
	07/25/02	Notification that due to personnel changes at Lucent, 
			our POC has changed. The new person is supposed to be 
			contacting us...

[ Overview ]
	The Lucent Brick VPN Firewall is a layer 2, NCSA, US Army, and 
	US National Security Agency (NSA) Approved/Certified Firewall that 
	operates on Inferno, an Embdedded Operating System. "Brick" devices 
	come in many sizes from the SOHO Brick 20 to the Enterprise 1000(GiG).
	
[ Description ]
	The Brick suffers from several design failures in handling of the ARP	
	protocol.  

	1. It is possible to interrupt any connection between the Brick and 
	critical devices such as the LSMS (Brick Management Server) by 
	binding the IP Address of the device in question to the attackers 
	interface and "pinging" the Brick or any address behind it. The Brick
	will immediately update its ARP cache and drop the connection, no matter
	where the attacker is located (internal/outside segment). This
	requires the "Floating MAC" setting to be turned on.

	2. The Brick will forward any ARP request and response across all 
	interfaces, regardless of the existing firewall rules.

	3. All Bricks are identifiable during reconnaissance using the most 
	basic of techniques (pinging all addresses in segment).  The device 
	that sends ARP requests for the attacker IP address is the Brick.

[ Example ]
	1. # man ping
	2. # man arp
	3. # for i in ´cat ipaddresses.txt´; do ping $i; done 

[ Solution ]
	None known at this time. 

[ end of file ]

Next message: kim0: "Phenoelit Advisory 0815 ++ /+ HP ProCurve"
Previous message: kim0: "Phenoelit Advisory #0815 ++-+ dp_300 (DLINK)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat Jul 27 2002 - 11:29:00 PDT