Threat Level: green Handler on Duty: Tom Webb

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2005-05-09 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

IPsec vulnerability and more public Ethereal exploits!

Published: 2005-05-09
Last Updated: 2005-05-10 01:46:50 UTC
by Mike Poor (Version: 1)
0 comment(s)

IPSec vuln announced



NISCC has posted an advisory for IPSEC implementations. Seems that any configuration of IPSec that uses ESP, IP protocol 50 (Encapsulating Security Payload), with confidentiality (encryption) only is affected. In addition, reports of some configurations of AH (Authentication Header), IP protocol 51 are also affected.

The impact of this vulnerability is huge (well, assuming that you arent using data integrity already), as the attacker could get the plaintext version of the communication. As was pointed out to me by an ISC reader, the default on most VPN servers is to include data integrity with ESP. This is one good case where most people probably dont stray too far from the default config *sic*.

Principal workaround: Ensure that you use ESP with integrity protection.

Link: http://www.niscc.gov.uk/niscc/docs/al-20050509-00386.html?lang=en

More Ethereal exploits made public



Ethereal is a fantastically useful tool to the network analyst. It can decode over 460 protocols, including Quake III Team Arena gaming protocol!!! Now for the downside. Writing protocol parsers is not an easy task. Its ok to interpret how a packet is "supposed" to look. What about the edge cases? What about failing gracefully? This is where alot of the protocol parsers are failing us.

Recently I was speaking with the venerable godfather of "those_who_wear_tin_foil_hats", Ed Skoudis, about a very scary concept: IDS killer packets. The idea is that you kill whatever monitoring tools might be on the network first, then you install the malicious code and take over the box.

This past year we have seen dozens of Ethereal vulnerabilities (both DOS and exploitable), a few Tcpdump denial of service vulns, and of course the biggies: buffer overflow and DOS in Snort, and a worm (Witty) that whacked ISS intrusion detection software. In fact, the Witty worm exploited a vulnerability in the Protocol Analysis Module for ICQ (yes, another protocol parser bug).

The point is not to harp on the developers, we know its not easy to get right. The point is that we all need to take extra care in patching our security infrastructure.

Today, two new exploits for Ethereal were made public. Ethereal 0.10.11 is apparently not vulnerable to these.

Mike Poor


mikeatintelguardiansdotcom

Handler on Duty - signing out

./mike &
Keywords:
0 comment(s)
Diary Archives