Published:
17 March 1998
Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-98.043 -- Secure Networks Inc. Security Advisory SNI-26
Security Issues with Ascend Routing Hardware
18th March 1998
===========================================================================
Secure Networks Inc. has released the following advisory concerning
several vulnerabilities in Ascend Routers. These vulnerabilities
may allow attackers to deny service to networks that depend on
Ascend Routers and/or gain access to the routers' configuration
file, which contains passwords and other sensitive information.
The following security bulletin is provided as a service to AUSCERT's
members. As AUSCERT did not write this document, AUSCERT has had
no control over its content. As such, the decision to use any or
all of this information is the responsibility of each user or
organisation, and should be done so in accordance with site policies
and procedures.
NOTE: This is only the original release of the security bulletin.
It will not be updated when the original bulletin is. If downloading
at a later date, it is recommended that the bulletin is retrieved
from the original authors to ensure that the information is still
current.
Contact information for SNI is included in the Security Bulletin
below. If you have any questions or need further information,
please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/Information/advisories.html
If you believe that your system has been compromised, contact AUSCERT or your
representative in FIRST (Forum of Incident Response and Security Teams).
Internet Email: auscert@auscert.org.au
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AUSCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for emergencies.
Facsimile: (07) 3365 7031
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
###### ## ## ######
## ### ## ##
###### ## # ## ##
## ## ### ##
###### . ## ## . ###### .
Secure Networks Inc.
Security Advisory
March 16, 1998
Security Issues with Ascend Routing Hardware
- - -----------------------------------------------------------------------------
SYNOPSIS
Ascend Communications provides several popular routing and access-server
solutions, including the Pipeline access router and the MAX access server.
Due to problems in the Ascend operating system that runs on these
platforms, it is possible to deny service to networks that depend on them.
Additionally, knowledge of the SNMP "write" community (which defaults to
"write") enables an attacker to download the entire configuration file of
the router, which contains access passwords and other sensitive
information.
- - -----------------------------------------------------------------------------
DESCRIPTION OF DENIAL OF SERVICE PROBLEM
Ascend provides a configuration tool for their equipment which enables
operators to reconfigure routers via a graphical interface. This tool is
called the "Ascend Java Configurator". The Ascend Configurator is capable
of locating Ascend routers on a network, using a special probe protocol.
In order to locate Ascend routers, the Configurator broadcasts a specially
formatted UDP packet to the "discard" port (port 9). Ascend routers listen
for these packets and respond with another UDP packet that contains the
symbolic name of the router. In this manner, the Configurator can build
a list of all Ascend routers on the local network.
By sending a specially formatted (but malformed) probe packet to the
discard port of an Ascend router, an attacker can cause an Ascend router
to lock up. Attackers can easily discover Ascend routers to crash by
sending probe packets to the discard port of arbitrary ranges of
addresses; only Ascend routers will respond to them.
- - -----------------------------------------------------------------------------
DESCRIPTION OF SNMP SECURITY ISSUE
Ascend routers are manageable by the SNMP protocol. Ascend's SNMP support
includes the ability to read and write MIB variables. Ascend's SNMP system
is protected by the SNMP community definitions, which act as passwords for
SNMP access. By default, the SNMP "read" password is "public", and the
SNMP "write" password is "write". An attacker that can guess the SNMP
"read" community can read arbitrary MIB variables, and an attacker that
can guess the "write" community can set arbitrary MIB variables to new
values.
Ascend provides a vendor-specific extension MIB. This MIB includes
variables specific to Ascend equipment. Among these variables is a group
of settings called "sysConfigTftp", which allow the configuration of the
router to be manipulated via the TFTP protocol. By writing to these
variables with SNMP "set" messages, an attacker can download the entire
configuration of the Ascend router.
The full configuration of an Ascend router includes the telnet password
(knowledge of which allows an attacker to gain telnet access to the Ascend
menu interface), all the enhanced access passwords (allowing an attacker
to reconfigure the router from the menu interface), network protocol
authentication keys (including RADIUS and OSPF keys), usernames and
passwords for incoming connections, and usernames, passwords, and dial-up
phone numbers for outgoing connections. All of this information is in
plaintext.
An attacker with full access to an Ascend router can also use it to
"sniff" the networks it is attached to. Ascend routers have an extensive
(and largely undocumented) debugging interface; functions are included in
this interface to obtain hexadecimal dumps of raw Ethernet, ISDN, DS1, and
modem traffic.
- - -----------------------------------------------------------------------------
VULNERABLE SYSTEMS
These issues are known to be relevant to Ascend Pipeline and MAX
networking equipment. These vulnerabilities have been confirmed in
Ascend's operating system at version 5.0Ap42 (MAX) and 5.0A (Pipeline).
Ascend's 6.0 operating system disables SNMP "write" access by default.
Previous versions of the software enable SNMP "write" access with a
default community of "write".
- - -----------------------------------------------------------------------------
RESOLUTION
The denial-of-service issue detailed in this advisory is due to an
implementation flaw in Ascend's software. While no immediate fix is
available, it is possible to work around this problem by filtering out
packets to the UDP discard port (9).
Because SNMP "write" access on an Ascend router is equivalent to complete
administrative access, it is very important that the community chosen is
hard to guess. Deployed Ascend equipment should be checked to ensure that
default (or easily guessed) communities are not in use.
The SNMP configuration of an Ascend router is available through the
menuing system, as "Ethernet...Mod Config...SNMP Options...".
- - -----------------------------------------------------------------------------
ADDITIONAL INFORMATION
These issues were identified originally by Jennifer Myers and
Thomas H. Ptacek at Secure Networks, Inc. SNI thanks Kit Knox
of CONNECTnet INS, Inc. for his assistance with this work.
Information about Ascend Communications is available at their website
at http://www.ascend.com. Products mentioned in this advisory are
trademarks of Ascend.
- - -----------------------------------------------------------------------------
ABOUT SECURE NETWORKS, INC.
Secure Networks, Inc. (SNI) is a security research and development company
based in Calgary, Alberta, Canada. SNI is the largest independent source
of full-disclosure security advisories and new vulnerability information
in the world. For more information about this or other advisories, contact
us at <sni@secnet.com>. A PGP key is provided if privacy is required.
For the full text of this and all of SNI's other advisories, see our web
page at "http://www.secnet.com/advisories/". General information about SNI
is available at "http://www.secnet.com".
- - -----------------------------------------------------------------------------
COPYRIGHT INFORMATION
he contents of this advisory are Copyright (C) 1998 Secure Networks
Inc, and may be distributed freely provided that no fee is charged for
distribution, and that proper credit is given.
- - -----------------------------------------------------------------------------
Type Bits/KeyID Date User ID
pub 1024/9E55000D 1997/01/13 Secure Networks Inc. <sni@secnet.com>
Secure Networks <security@secnet.com>
- - -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.3ia
mQCNAzLaFzIAAAEEAKsVzPR7Y6oFN5VPE/Rp6Sm82oE0y6Mkuof8QzERV6taihn5
uySb31UeNJ4l6Ud9alOPT/0YdeOO9on6eD1iU8qumFxzO3TLm8nTAdZehQSAQfoa
rWmpwj7KpXN/3n+VyBWvhpBdKxe08SQN4ZjvV5HXy4YIrE5bTbgIhFKeVQANAAUR
tCVTZWN1cmUgTmV0d29ya3MgSW5jLiA8c25pQHNlY25ldC5jb20+iQCVAwUQM1yd
EB/bLKAOe7p9AQFptAQAiYpaZCpSmGgr05E698Z3t5r5BPAKUEtgvF53AvZUQLxz
ZsYsVU5l5De0qKWJOQ/9LiDyWu1lvKhlTphbLy2RatWD4kO3oQL9v3TpSXm2WQhU
uIzyZvj7S5ENodNnKn+gCDIvbou6OMot+7dRbWWgN2oabbru4CSlOxbG++yaTz+J
AJUDBRAzTefbtOXez5VgyLkBAd0bA/43eGEgvPOFK+HHWCPpkSWCwtrtDU/dxOVz
9erHnT/CRxeojCI+50f71Qe+kvx9Q1odz2Jl/fLxhnPQdbPnpWblIbu4F8H+Syrj
HTilDrl1DWa/nUNgK8sb27SMviELczP1a8gwA1eo5SUCG5TWLLTAzjWOgTxod2Ha
OwseUHmqVIkAlQMFEDNOVsr/d6Iw8NVIbQEBxM0D/14XRfgSLwszgJcVbslMHm/B
fF6tHoWYojzQle3opOuMYHNN8GsMZRkc1qQ8QuNA9Aj5+qDqEontGjV5IvhBu1fY
FM77AhagskaFCZxwqV64Qrk328WDO89NGSd+RuovVNruDdn20TxNCEVuPTHjI0UA
8H+E6FW9jexg6RTHhPXYtCVTZWN1cmUgTmV0d29ya3MgPHNlY3VyaXR5QHNlY25l
dC5jb20+iQCVAwUQMtqTKB/bLKAOe7p9AQFw5wQAgUwqJ+ZqfEy/lO1srU3nzxLA
X0uHGHrMptRy/LFo8swD6G1TtWExUc3Yv/6g2/YK09b5WmplEJ+Q09maQIw+RU/s
cIY+EsPauqIq4JTGh/Nm0Z4UDl2Y1x4GNtm0YqezxUPS0P0A3LHVLJ3Uo5og0G8O
gPNrfbVz5ieT14OSCWCJAJUDBRAy2hd2/3eiMPDVSG0BAVNhBACfupfAcNhhnQaq
aI03DOOiZSRjvql1xw4V+pPhM+IksdSK3YNUZVJJtANacgDhBT+jAPRaYbBWI3A5
ZMdcSNM8aTG0LWMLIOiOYEm6Lgd3idRBFN0Js08eyITl8mhZ33mDe4I0KQri9UiV
ZcPYTbb9CWM6Hv2cMbt6S6kLnFziqIkAlQMFEDLaF0+4CIRSnlUADQEBCLoEAJwt
UofDgvyZ4nCDx1KKAPkkXBRaPMWBp46xeTVcxaYiloZfwHfpk1h2mEJAxmAsvizl
OtIppHl4isUxcGi/E2mLCLMvis22/IQP/9obPahPvgNaMLVtZljO1Nv3QFEkNciL
FEUTNJHR1ko7ibCxkBs4cOpirFuvTMDvWnNaXAf8
=DchE
- - -----END PGP PUBLIC KEY BLOCK-----
- -----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBNQ2QXLgIhFKeVQANAQF1GgP/aOimvNesiSRFCZ+kI9UO5CZ/SKh9ptKK
toMlHoWGQV8mWYlnEUcPrp/gH5wg5PKshDwD1UsJE5AqAsp6L2QYgsTd6Snewbc4
BuO+SfF4gDYkj1wAP+cmSabwTdGW8hhsZoiplHw1OaoXNeuz3vbPKMsKY+88FKXZ
817iMYlnoPw=
=Bvnw
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBNR99GSh9+71yA2DNAQEWVAP8DQ+ASRzoJNZcE8Fx/iHz2Hf9n8btcVdW
mVzIFe9tmFgC8KCySiFx91dDLjyeMSU7i5SRRfHoBjrLLoKmVQzN4sOn7Rcxz3n1
4NFR3BNFnJjJ04To3gcXPspGyeenkFUgn/UqRtyI5o7LQ+p2ILWhE8mHOB4EX5h1
8qObwcB2bM0=
=lh07
-----END PGP SIGNATURE-----