lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <1274363401.1839.46.camel@bilom>
Date: Thu, 20 May 2010 10:50:01 -0300
From: Guillermo Marro Bruno <gmmarro@...wgate.net>
To: bugtraq <bugtraq@...urityfocus.com>
Cc: xperience@...eria.pl, dwilliam@...don.ca
Subject: RE: STP mitm attack idea

>
 
> Shutting down the port is useful for security in the way that it helps
> prevent the type of attack that Xperience has described. When BPDU Guard
> is implemented the port will be shut down if any Spanning Tree packets
> are seen. It is risky turning off Spanning Tree as any loops in the
> network will create a denial of service by causing broadcast traffic to
> be sent out every port on the switch in a continuous loop. An
> interesting thing to note is what happens if a cable is plugged into two
> ports on a switch, essentially creating a loop. For this reason when
> BPDU is implemented and a port comes up it will send out two Spanning
> Tree packets. The opposing port sees these packets and shuts down. One
> other feature of BPDU guard is that it can be configured to stay in an
> error state for a specified period of time by using the "errdisable
> recovery cause bpduguard" command. When configured using the "errdisable
> recovery interval xxx" This allows the port to return to normal usage
> after the error condition has been resolved. Another reason to implement
> these features is that it prevents Access ports from "sharing" Spanning
> Tree information and "leaking" the network topology. From a security
> stand point it might be useful disabling CDP on Access ports as well.

In complex L2 network topologies, physical link redundancy is good, but
logical link redundancy is not. Thus we need R/STP.

In my eyes, BPDU guard and Root Guard are somehow effective measures but
they tend to focus on L2 issues coming from a L3-ish philosophy ('think
first and then connect the plug'). When you plug a cord on a switch you
want it to be as plug-and-play as possible, you don't want to think
about port configuration issues, it's L2 after all!. 
By using Cisco's countermeasures we are constraining the very intent of
STP.
The true solution that unfortunately no vendors seem to explore is
adding BPDU message authentication (crypto-based). It's no trivial, it'd
demand more initial configuration, but it's the only reasonably strong
approach.

BTW, the attack described by Xperience, it's a variation of a
tree-segmentation attack. See page 24 in:

http://seclab.cs.ucdavis.edu/papers/Marro_masters_thesis.pdf

In the case you can get some sort of direct link between C and D
(wireless?), the attack would be much more stealth and efficient.

Cheers,

-G

-- 
...................................................
Guillermo Marro
F l o w g a t e  Consulting
Maipu 778 - Piso 1 - Of 10
(2000) Rosario - Santa Fe - ARGENTINA
TEL: +54-341-4112511
http://www.flowgate.net 

PGP Fingerprint:
8EFD D853 00A4 B247 2F36  692F 4242 4C02 C0BF 67DB
http://pgp.dtype.org/


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ