Event
Summary
On April 19th, Cisco announced a security advisory to patch bug CSCdr10025
which allows access to its Catalyst Switches through the use of a default
password. On April 20th, SecurityFocus reposted this advisory on their
website. On April 25, AboveNet suffered a crippling network attack when
someone compromised their network, and disabled several critical backbone
switches by logging on and exploiting this bug.
Though Cisco offers free software upgrades to remedy this vulnerability,
system and network engineers often get caught up in the day-to-day flurry
of new provisioning and on-going support. Applying security patches and
keeping up with advisories gets last priority.
Regardless of whether they should be doing this or not, AboveNet publishes
the IP addresses of its switches to the world on its website. By knowing
what IP address to connect to, if a switch has not had its enable mode
secured with a non-default encrypted password, it is pretty easy to rip
the entire box apart over the network. Enable mode, similar to root on
UNIX systems, or administrator on Microsoft operating systems, allows
you to take full control of a switch, or router. If telnet is allowed
on the switch and it has not been securely passworded, a user can login
as unprivileged and then switch to the privileged enable mode very easily.
Market
Impact
The purpose of security advisories is to help customers secure their systems.
However, misuse of these advisories to take advantage of network and equipment
weaknesses is growing. If the trend continues, companies who issue advisories
may want to start posting them to contract customers only. Posting security
advisories to the general public is a double-edged sword. Though legitimate
customers need to know this information, it is questionable as to whether
it is useful to publish such things to non-customers.
Figure
1
AboveNet Switch in San Jose Loses Connectivity
on April 25th.
(c) Copyright AboveNet
Service
Providers who host the servers and connections of other businesses need
to be particularly careful about what they post to the Internet. Posting
traffic statistics is of course useful, however, posting the IP address
and hostname may not be necessary, unless it is done behind a protected
authentication system or website. It is possible to post traffic statistics,
and at the same time keep the switch behind a protected firewall. Though
security due diligence was not applied to AboveNet's switch, it's surprising
that it wasn't better protected by a more secure perimeter.
User
Recommendations
When security advisories come out, companies need to act quickly. Security
and network engineers are not the only ones who read these advisories.
Cybercriminals, with unsavory intentions, often wait for advisories to
come out, and then go to work to see if they can exploit them.
- Companies should publish as few IP addresses to the world as possible.
- If Internet Telnet access is necessary for network equipment, it
should be behind a secure authentication system that does not use
reusable passwords.
- When advisories come out, service providers need to act quickly.
Having a process in place to act upon security advisories quickly
will prevent unnecessary downtime, and embarrassing security compromises.
Prospective customers should request that their service provider respond
to vendor security advisories within 1 or 2 business days - anything
longer than that is taking a risk.
- Having a periodic Security Vulnerability Assessment can pinpoint
weaknesses before unsavory hands exploit them.
- Service Providers need to make sure that proper Access-Lists (ACLs)
have been configured to protect their network devices.
According
to Robert Graham, Chief Technology Officer of Network ICE, "Intruders
don't use black magic to break into systems. I've never seen an intrusion
technique that wasn't already published on sites like SecurityFocus.com.
The paranoid should make it a point to read these announcements before
the intruders do."