[<prev] [next>] [day] [month] [year] [list]
Message-ID: <8654C851B1DAFA4FA18A9F150145F925D9BDF7@fnex01.fishnetsecurity.com>
Date: Tue, 11 Nov 2003 16:37:54 -0600
From: "Evans, Arian" <Arian.Evans@...hnetsecurity.com>
To: <bugtraq@...urityfocus.com>, <full-disclosure@...ts.netsys.com>
Subject: Nokia IPSO Script Injection Vulnerability leads to Passive Remote Root, via Network Voyager
________________________________________________________________________
FishNet Security Assessment Services and Vulnerability Research
Disclosure: FN2003111001
________________________________________________________________________
::Vulnerability:: Nokia IPSO Script Injection Vulnerability
::Synopsis:: Passive Remote Root of Nokia IPSO, via Network Voyager
::Affected Platforms:: IPSO v3.5, v3.6, v3.7
::Severity:: High Risk
::Ease of Exploitation:: From Trivial to Difficult; see conditions below
::Vendor:: Nokia (http://www.nokia.com/)
::Release::http://www.fishnetsecurity.com/CSIRT/disclosure/Nokia/advisor
y.public.FN2003111101.txt
::Release Date:: 11.11.2003
::Release Format:: ASCII formatted for 10pt Arial or System bold
________________________________________________________________________
::FishNet Security Vulnerability Research and Response Team (CSIRT)::
Arian J. Evans, Sr. Security Engineer; arian.evans@...hnetsecurity.com
-Vulnerability Discovery, Modeling of Attack Vectors
Trey Keifer; Security Engineer Level II; trey.keifer@...hnetsecurity.com
-Vulnerability Analysis, Various Proof-of-Concept codes
Brandy Peterson, Directory of Technology; bpeterson@...hnetsecurity.com
-General IPSO expertise, Nokia Network Voyager best-practices
________________________________________________________________________
***Overview***
Nokia Network Voyager is an SSL-secured, web-based element
management interface to Nokia IP Security Platforms. Enabled
via the Nokia IPSO operating system (OS), Network Voyager is
used to configure and monitor individual Nokia IP Security Platforms.
Through the simple, yet powerful user interface of Network Voyager,
users can point any web browser at an individual Nokia IP Security
Platform and immediately manage the device.
--Nokia Website
***Clarification***
Nokia Network Voyager is not an SSL-secured management interface
to Nokia IP\ Security Platforms by default. By default, Nokia Network
Voyager is a clear-text enabled management interface: HTTP. Wrapping
the platform's HTTP communications in SSL tunnels is entirely optional,
not enabled by default, and in no way needed to manage the platform.
***Vulnerability***
It is possible to inject script into Nokia Network Voyager to remotely
gain root access to the platform. The remote root is both passive
and conditional. Actions that can be taken include (1) creating admin
accounts, (2) setting password on admin accounts (thus enabling
them), (3) disabling daemons for products running on the platform
like firewall or NIDS, (4) reboot platform to come up with a new
configuration.
Basically, the Network Voyager interface functions are mostly
postable forms, so with a little creativity you can script code that
will automatically post any form.
Passive: The code you inject will not execute until a client with
administrative privileges logs into the Network Voyager interface.
Code execution is dependent upon the client (web browser),
hence the designation 'Passive'.
Conditional: If vendor recommended guidelines have been
followed to secure the Nokia IP Security platform, this vulnerability
is difficult to exploit. However, with Nokia's shipping default
configuration, this vulnerability is trivial to exploit.
***PoC***
PoCs not provided. If you own a Nokia box or have access to one
for research, this should be easy to recreate. We will provide PoC
to security researchers we know and trust on a case-by-case basis.
NIDS and scanner vendors: this attack is too generic for a good
NIDS sig, and too sandboxed to check for with an automated
scanner. You'll have to identify IPSO versions.
***Additional Threat Details***
For further details, please see the following document:
http://www.fishnetsecurity.com/CSIRT/disclosure/Nokia/Nokia.Voyager.Thre
at.Details.pdf
________________________________________________________________________
***Remediation***
FishNet Security notified Nokia of this vulnerability on 10.27.2003.
Nokia's response was immediate after we supplied PoC and full
documentation. Nokia worked swiftly to produce fixes and provided
them to our team for follow-up testing.
For Best Practices to securing Nokia Network Voyager, which also
significantly mitigate this risk, please see:
http://www.fishnetsecurity.com/CSIRT/disclosure/Nokia/Securing.Nokia.Net
work.Voyager.pdf
>From Nokia's release:
"Nokia Enterprise Solutions wishes to inform you of the immediate
availability of the following IPSO versions:
IPSO v3.7 Build31
IPSO v3.6 FCS13
IPSO v3.5.1 FCS10
IPSO v3.5 FCS22
Please log into http://support.Nokia.com to read the release notes
and retrieve these new images. [...] These releases address a security
issue described as a Network Voyager Script Injection vulnerability,
which is described in Resolution 18356. Nokia strongly recommends
that all platforms be upgraded to the latest releases of these IPSO
versions. If this is not possible, then please follow the workarounds
described in Resolution 18356. [...]"
________________________________________________________________________
***FishNet Security***
FishNet Security Assessment Services is the branch of FishNet
Security responsible for Penetration Testing, Application architectural
assessments and code reviews, and both network and host-based
Forensic Analysis. Headquartered in Kansas City, Missouri, FishNet
Security is committed to being the largest network security company
in the Midwest. In order to provide superior customer service, FishNet
has regional offices in St. Louis, Dallas, Minneapolis, and New York.
Arian Evans
Sr. Security Engineer
FishNet Security
Phone: 816.421.6611
Toll Free: 888.732.9406
Fax: 816.421.6677
http://www.fishnetsecurity.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists