6 Days After Advisory Posted, AboveNet Gets Hit

6 Days After Advisory Posted, AboveNet Gets Hit
L. Taylor -May 18, 2000

Event Summary

On April 19th, Cisco announced a security advisory to patch bug CSCdr10025 which allows access to its Catalyst Switches through the use of a default password. On April 20th, SecurityFocus reposted this advisory on their website. On April 25, AboveNet suffered a crippling network attack when someone compromised their network, and disabled several critical backbone switches by logging on and exploiting this bug.

Though Cisco offers free software upgrades to remedy this vulnerability, system and network engineers often get caught up in the day-to-day flurry of new provisioning and on-going support. Applying security patches and keeping up with advisories gets last priority.

Regardless of whether they should be doing this or not, AboveNet publishes the IP addresses of its switches to the world on its website. By knowing what IP address to connect to, if a switch has not had its enable mode secured with a non-default encrypted password, it is pretty easy to rip the entire box apart over the network. Enable mode, similar to root on UNIX systems, or administrator on Microsoft operating systems, allows you to take full control of a switch, or router. If telnet is allowed on the switch and it has not been securely passworded, a user can login as unprivileged and then switch to the privileged enable mode very easily.

Market Impact

The purpose of security advisories is to help customers secure their systems. However, misuse of these advisories to take advantage of network and equipment weaknesses is growing. If the trend continues, companies who issue advisories may want to start posting them to contract customers only. Posting security advisories to the general public is a double-edged sword. Though legitimate customers need to know this information, it is questionable as to whether it is useful to publish such things to non-customers.

Figure 1

AboveNet Switch in San Jose Loses Connectivity
on April 25th.

(c) Copyright AboveNet

Service Providers who host the servers and connections of other businesses need to be particularly careful about what they post to the Internet. Posting traffic statistics is of course useful, however, posting the IP address and hostname may not be necessary, unless it is done behind a protected authentication system or website. It is possible to post traffic statistics, and at the same time keep the switch behind a protected firewall. Though security due diligence was not applied to AboveNet's switch, it's surprising that it wasn't better protected by a more secure perimeter.

User Recommendations

When security advisories come out, companies need to act quickly. Security and network engineers are not the only ones who read these advisories. Cybercriminals, with unsavory intentions, often wait for advisories to come out, and then go to work to see if they can exploit them.

  • Companies should publish as few IP addresses to the world as possible.

  • If Internet Telnet access is necessary for network equipment, it should be behind a secure authentication system that does not use reusable passwords.

  • When advisories come out, service providers need to act quickly. Having a process in place to act upon security advisories quickly will prevent unnecessary downtime, and embarrassing security compromises. Prospective customers should request that their service provider respond to vendor security advisories within 1 or 2 business days - anything longer than that is taking a risk.

  • Having a periodic Security Vulnerability Assessment can pinpoint weaknesses before unsavory hands exploit them.

  • Service Providers need to make sure that proper Access-Lists (ACLs) have been configured to protect their network devices.

According to Robert Graham, Chief Technology Officer of Network ICE, "Intruders don't use black magic to break into systems. I've never seen an intrusion technique that wasn't already published on sites like SecurityFocus.com. The paranoid should make it a point to read these announcements before the intruders do."

comments powered by Disqus