IP Option Vulnerability in Cisco IOS – Update now !

Cisco released three security advisories for its IOS platform two days back. See Tech Lounge, Tao Security, The Register, for more coverage. Note: These affect almost all 12.0, 12.1, 12.2 of IOS routers.

  • Malformed TCP Packets (denial of service). Specially crafted TCP packets can leak small amount of memory, which over time can result in a DoS.
  • IPv6 Routing Header (crashes IOS !). Only if IPv6 has been enabled, this is a bug when source routing is enabled.
  • *serious*  IP Option vulnerability (can execute arbitrary code). A specially crafted IP options packet can compromise the router.

All three are triggered by a malformed packet. These packets can contain spoofed  addresses, so a traditional ACL may not be effective.

Of the three, the third is obviously the most serious. Security watchers are reporting that there is a lot of interest in underground forums about how to exploit the third one.

“These are serious issues and patches need to be applied as soon as possible,” said Gunter Ollmann, director of security strategy for IBM Internet Security Systems. “From our monitoring of underground channels there are a lot of people interested in these and actively working on exploits.”

So what is an IP option ?

For those who are not familiar with it, here is a sample IP option viewed using Unsniff Network Analyzer. IP options are extensions to the standard IPv4 header to implement some additional functionality.

ipoptions.jpg

What you see in the picture is a “Record route option”. You can append other options after it, and close with an “End” option (Identified by code 00).

[tags] cisco , security, ip options, unsniff [/tags]

Ephemeral Diffie Hellman support – NOT !

You may be aware about the SSL/TLS decryption features of Unsniff (see article here on how to do it )

This past weekend we received an email asking whether there were plans for Unsniff to support decryption of TLS using the DHE-RSA-AES256-SHA cipher suite. We also find this same question repeated on many security forums. I thought this deserves a blog entry.

The letters “DHE” in a cipher suite name means that the Diffie Hellman Ephemeral mode is being used for key exchange. Contrast with plain or static “DH” (example DH_RSA_WITH_DES_CBC_SHA ). Unsniff might support static DH because the diffie hellman parameters can be found in the server certificate.

Unsniff has no plans to support ephemeral DH because it is impossible.

Why ?

Ephemeral DH is used to provide Perfect Forward Secrecy to a TLS connection. This means that even if you have obtained the server private key via admin help, theft, or court order – you cannot decrypt past captured traffic. The server key is of no use because it is only used to sign the DH parameters in the “Server Key Exchange” message in TLS. To decrypt DH-ephemeral in the way Unsniff (and other tools like Wireshark) do would be akin to breaking DH. That is not possible.

Is there really no way ?

I think there is only one way. If you can change the source code of the server (apache, etc) to write out the DH params to a log file for each session – we may be able to use that to compute the master secret and therefore decrypt the TLS session.

 

Two days at Proto

proto-extn1.gif 

Proto.in is an event that is loosely modelled on the DEMO conference. The idea is to showcase product companies from India. Out of hundreds, 30 companies were shortlisted and asked to demo their stuff. The event was organized by an energetic bunch of people led by Vijay Anand.

We are given 8 minutes (compare to 6 minutes in Demo) to showcase our product. The ground rule was no slides or PPT presentations. (we can all rock the slideshow routine, cant we ? ) Unfortunately, the 8 minute rule as well as the “no-slides” rule was followed by just a handful of companies.

I (netscript aka Vivek) was first on stage and demoed Unsniff Network Analyzer. I emphasised the extensibility aspect of Unsniff. I showed them the Ruby – iax voip analysis script written by our buddy Tim Vincent. I also hit up on the advantages of the visual breakout. 

It was really cool meeting some interesting folks, first Sujai Karampuri from Sloka Telecom. They are developing a low cost WiMAX base station as well as CPE node. I will explore the possibility of a tieup to support a radio module in 3.5G range for Unsniff with them.

I met Gokul who runs an excellent blog focussed on  VoIP, IMS, etc at http://tggokul.wordpress.com/ . He provided amazing live blog coverage of the event ( and I find it hard to blog once a week !) He has written about our talk here. I must sheepishly admit that I have not met him before this event even though Unleash works so much with VoIP and has great plans for IMS. We plan to meet soon.

The main organizer Vijay Anand is involved in a group called Tenet. They seem to involved in a lot of networking research. Unleash plans to work with them going forward. I see a great opportunity here to get support for new protocols and tools via access to that group.

There were a few VCs there too. My “skeptico-meter” for VCs is off the dial at this point. Nevertheless, it was interesting to meet and talk to them. It would be nice if they clearly articulated their long term vision and their ability to put up with long gestation products.

Overall, a couple of very interesting days.

[tags] startups, india, proto, proto.in, entrepreneurship [/tags]