| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 11 Nov 2003 16:58:07 -0600 From: "FishNet Security CSIRT" <CSIRT@...hnetsecurity.com> To: <bugtraq@...urityfocus.com> Subject: Nokia IPSO Script Injection Vulnerability leads to Passive Remote Root, via Network Voyager attn mods: this is a resend with updated source address, if you catch this in time. ________________________________________________________________________ FishNet Security Assessment Services and Vulnerability Research Disclosure: FN2003111001 ________________________________________________________________________ ::Vulnerability:: Nokia IPSO Script Injection Vulnerability ::Synopsis:: Passive Remote Root of Nokia IPSO, via Network Voyager ::Affected Platforms:: IPSO v3.5, v3.6, v3.7 ::Severity:: High Risk ::Ease of Exploitation:: From Trivial to Difficult; see conditions below ::Vendor:: Nokia (http://www.nokia.com/) ::Release::http://www.fishnetsecurity.com/CSIRT/disclosure/Nokia/advisor y.public.FN2003111101.txt ::Release Date:: 11.11.2003 ::Release Format:: ASCII formatted for 10pt Arial or System bold ________________________________________________________________________ ::FishNet Security Vulnerability Research and Response Team (CSIRT):: Arian J. Evans, Sr. Security Engineer; arian.evans@...hnetsecurity.com -Vulnerability Discovery, Modeling of Attack Vectors Trey Keifer; Security Engineer Level II; trey.keifer@...hnetsecurity.com -Vulnerability Analysis, Various Proof-of-Concept codes Brandy Peterson, Directory of Technology; bpeterson@...hnetsecurity.com -General IPSO expertise, Nokia Network Voyager best-practices ________________________________________________________________________ ***Overview*** Nokia Network Voyager is an SSL-secured, web-based element management interface to Nokia IP Security Platforms. Enabled via the Nokia IPSO operating system (OS), Network Voyager is used to configure and monitor individual Nokia IP Security Platforms. Through the simple, yet powerful user interface of Network Voyager, users can point any web browser at an individual Nokia IP Security Platform and immediately manage the device. --Nokia Website ***Clarification*** Nokia Network Voyager is not an SSL-secured management interface to Nokia IP\ Security Platforms by default. By default, Nokia Network Voyager is a clear-text enabled management interface: HTTP. Wrapping the platform's HTTP communications in SSL tunnels is entirely optional, not enabled by default, and in no way needed to manage the platform. ***Vulnerability*** It is possible to inject script into Nokia Network Voyager to remotely gain root access to the platform. The remote root is both passive and conditional. Actions that can be taken include (1) creating admin accounts, (2) setting password on admin accounts (thus enabling them), (3) disabling daemons for products running on the platform like firewall or NIDS, (4) reboot platform to come up with a new configuration. Basically, the Network Voyager interface functions are mostly postable forms, so with a little creativity you can script code that will automatically post any form. Passive: The code you inject will not execute until a client with administrative privileges logs into the Network Voyager interface. Code execution is dependent upon the client (web browser), hence the designation 'Passive'. Conditional: If vendor recommended guidelines have been followed to secure the Nokia IP Security platform, this vulnerability is difficult to exploit. However, with Nokia's shipping default configuration, this vulnerability is trivial to exploit. ***PoC*** PoCs not provided. If you own a Nokia box or have access to one for research, this should be easy to recreate. We will provide PoC to security researchers we know and trust on a case-by-case basis. NIDS and scanner vendors: this attack is too generic for a good NIDS sig, and too sandboxed to check for with an automated scanner. You'll have to identify IPSO versions. ***Additional Threat Details*** For further details, please see the following document: http://www.fishnetsecurity.com/CSIRT/disclosure/Nokia/Nokia.Voyager.Thre at.Details.pdf ________________________________________________________________________ ***Remediation*** FishNet Security notified Nokia of this vulnerability on 10.27.2003. Nokia's response was immediate after we supplied PoC and full documentation. Nokia worked swiftly to produce fixes and provided them to our team for follow-up testing. For Best Practices to securing Nokia Network Voyager, which also significantly mitigate this risk, please see: http://www.fishnetsecurity.com/CSIRT/disclosure/Nokia/Securing.Nokia.Net work.Voyager.pdf >From Nokia's release: "Nokia Enterprise Solutions wishes to inform you of the immediate availability of the following IPSO versions: IPSO v3.7 Build31 IPSO v3.6 FCS13 IPSO v3.5.1 FCS10 IPSO v3.5 FCS22 Please log into http://support.Nokia.com to read the release notes and retrieve these new images. [...] These releases address a security issue described as a Network Voyager Script Injection vulnerability, which is described in Resolution 18356. Nokia strongly recommends that all platforms be upgraded to the latest releases of these IPSO versions. If this is not possible, then please follow the workarounds described in Resolution 18356. [...]" ________________________________________________________________________ ***FishNet Security*** FishNet Security Assessment Services is the branch of FishNet Security responsible for Penetration Testing, Application architectural assessments and code reviews, and both network and host-based Forensic Analysis. Headquartered in Kansas City, Missouri, FishNet Security is committed to being the largest network security company in the Midwest. In order to provide superior customer service, FishNet has regional offices in St. Louis, Dallas, Minneapolis, and New York. Arian Evans Sr. Security Engineer FishNet Security Phone: 816.421.6611 Toll Free: 888.732.9406 Fax: 816.421.6677 http://www.fishnetsecurity.com
Powered by blists - more mailing lists