Nokia GGSN (IP650 Based) DoS

From: @stake Advisories (@stake)
Date: Mon Jun 09 2003 - 10:33:01 PDT

Next message: :: Operash ::: "[FlashFXP] Two Buffer Overflow Vulnerabilities"

Previous message: :: Operash ::: "[FTP Voyager] File List Buffer Overflow Vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


                              @stake Inc.
                            www.atstake.com

                           Security Advisory

Advisory Name: Nokia GGSN (IP650 Based) DoS
 Release Date: 06/09/2003
  Application: Nokia GGSN (IP650 Based)
     Platform: Nokia GGSN (IP650 Based)
     Severity: An attacker is able to cause GGSN to kernel panic
      Authors: Ollie Whitehouse [ollieat_private]
               Joe Grand      
               Brian Hassick  
Vendor Status: Informed/Fixed
CVE Candidate: CAN-2003-0368 Nokia GGSN Kernel Panic
    Reference: www.atstake.com/research/advisories/2003/a060903-1.txt


Overview:

       Nokia's (http://www.nokia.com) GGSN (Gateway GPRS support
node)
is the platform that exists between Gn and Gi networks within a GPRS
network.

There exists a vulnerability in the TCP stack that allows an
attacker to cause the GGSN to kernel panic and shutdown. This
potentially allows an attacker to crash all data connectivity within
a GPRS based network.

This is a good example of why network elements which introduce IP
functionality to legacy networks should have their functionality
verified in terms of impact on security before deployment in a
production environment.

Technical Overview:

        This vulnerability is exploited by sending a malformed
IP packet with a TCP option of 0xFF over a cellphone to the affected
network.

Vendor Response:

        (see recommendation).


Recommendation:

        @stake worked with Nokia to ensure that all affected
operators
were informed and upgraded and only after this time did @stake agree
to release this information to the public. There should be no action
on the part of the operator required.

Below is the notice that was sent out by Nokia to their clients:

        ---[Nokia Notice]---
        NOKIA CUSTOMER CONFIDENTIAL, GGSN RELEASE 1 VULNERABILITY

        Under exceptional circumstances Nokia GGSN release 1 is
        potentially vulnerable to a "Denial Of Service" style of
        attack from a malicious user equipped with a computer and a
        mobile phone. When the vulnerability is exploited the GGSN
        restarts. There is no damage to the configuration, but some
        charging data may be lost.  Changing a normal Access Point to
        tunneled (GRE or IP in IP) prevents the attacks from mobile
        user side.

        The same applies for the Gi interface though routers and
        firewalls would normally drop this kind of packets. The
        problem has been detected and reported by @stake and has been
        reproduced by Nokia in collaboration with @stake. Nokia and
        @stake are jointly working to eliminate the problem.

        This vulnerability is corrected in IPSO version 3.4 and all
        subsequent versions. Thus, GGSN release 2 is not vulnerable,
        GGSN release 1 is. Nokia advices all the customers still
        running GGSN release level 1 to upgrade on GGSN release level
      
        2.
 
        As an interim measure operators can perform the following
        preventative configuration changes to their networks. Ensure
        that all IP packets  with non standard IP options are dropped
        by boarder firewalls on the  Gi interface. Within the Gn
        network ensure that the GTP aware firewall (if present) also
        drops all encapsulated IP packets with non standard  IP
        options. This may introduce latency however it will mitigate
        against the attack until the patch has been fully deployed
        and tested.

        Due to the severity of this vulnerability @stake has
        confirmed that they will not be releasing this information
        publicly on their research page
        (http://www.atstake.com/research/)
        until Nokia has confirmed that all affected operators have
        fully patched and tested all affected elements. However
        @stake would ideally like to  release this information no
        later than 1st June 2003.

        Neither @stake nor Nokia are aware of this attack being used
        in the wild as it was discovered by @stake within a lab
        environment and subsequently tested on a number of operators
        for whom they have worked for.
        ---[End Nokia Notice]---


Common Vulnerabilities and Exposures (CVE) Information:

The Common Vulnerabilities and Exposures (CVE) project has assigned
the following names to these issues.  These are candidates for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.

  CAN-2003-0368 Nokia GGSN Kernel Panic


@stake Vulnerability Reporting Policy:
http://www.atstake.com/research/policy/

@stake Advisory Archive:
http://www.atstake.com/research/advisories/

PGP Key:
http://www.atstake.com/research/pgp_key.asc

@stake is currently seeking application security experts to fill
several consulting positions.  Applicants should have strong
application development skills and be able to perform application
security design reviews, code reviews, and application penetration
testing.  Please send resumes to jobsat_private

Copyright 2003 @stake, Inc. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBPuTExEe9kNIfAm4yEQJHsgCgpE0HSqZM7bkWgmjD+SKlPq6sEysAnAm2
PM135OxtAU1caCKLTLpGbTqD
=9l1f
-----END PGP SIGNATURE-----

Next message: :: Operash ::: "[FlashFXP] Two Buffer Overflow Vulnerabilities"
Previous message: :: Operash ::: "[FTP Voyager] File List Buffer Overflow Vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jun 09 2003 - 14:10:27 PDT