Attacks/Breaches
2/3/2010
01:03 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

IBM ISS Researcher Exposes Holes In Cisco's Internet Surveillance Architecture

Wiretapping architecture could be abused by individuals under surveillance and outside attackers; Cisco reviews recommended fixes

WASHINGTON, D.C. -- Black Hat DC 2010 -- An IBM ISS researcher here today revealed major security holes in a little-known wiretapping architecture for IP networks created by Cisco Systems for law enforcement. The weaknesses could result in an attacker interfering with legal surveillance or performing some unauthorized surveillance of his own.

Tom Cross, manager of X-Force Research at IBM ISS, says he first discovered the Cisco Architecture for Lawful Intercept in IP Networks, which was published as an IETF RFC in 2004, four years ago. The document, also known as IETF RFC 3924, is based on the lawful intercept architecture used by the European Telecommunications Standards Institute, and is implemented in Cisco's edge and switch routers -- the 7600, 10000, 12000, and AS5000 series products. Cross says other vendors also have deployed the architecture within their network devices.

Cross says an alleged criminal could discover that he was under law enforcement's surveillance using the current architecture, allowing him to manipulate or corrupt the information collected or to use the surveillance information for nefarious purposes.

Cisco had previously patched a SNMPv3 vulnerability in its router models used in the wiretapping architecture, but Cross says the architecture itself needs some repair, pointing out multiple weaknesses that could be exploited by attackers -- which he says he handed over to Cisco in December 2008.

Jennifer Greeson, communications director at Cisco, who was on hand at Cross' Black Hat presentation, says Cisco has been looking over his recommendations and, perhaps, how to incorporate them, she says.

"We are confident in our framework. That's why we published it: We recognize that security is very important" in this architecture, Greeson says.

Today was the first time Cross -- who says he had to put the effort on the back burner until recently due to other commitments -- has gone public with his research on the wiretapping architecture's weaknesses. Cisco's legal surveillance framework defines the architecture from which the "mediation device" remotely gathers intelligence on behalf of law enforcement from the surveillance target (someone under law enforcement investigation). Vendors such as Digivox, NICE Systems, Verint, and Utimaco make these systems. "The mediation device is the heart of the architecture," Cross says. "It is used by the administrator to provision" the surveillance and sends instructions to the devices that perform the actual surveillance, he says. That information is then reformatted and sent directly to law enforcement, he says.

Cross listed six weaknesses in Cisco's architecture that could lead to security breaches in surveillance: SNMPv3's susceptibility to brute-force credential discovery; password vulnerability in SNMPv3; lack of audit trails; the surveillance output stream's flexibility; the interface's vulnerability to packet-spoofing; and that the RFC doesn't require encryption.

While Cisco has patched the SNMPv3 authentication flaws (CVE-2008-0960), that doesn't mean its customers all have deployed those patches, he warns. Router patching is a particularly onerous process that often gets superseded by operational disruption concerns.

Even so, Cross says the biggest issues are architectural ones that must be fixed by Cisco and the IETF. "These are harder problems that require more thought," he says.

"My greatest concern is the lack of audit trails," he says. An attacker can "turn off" the audit trail, for instance, leaving the victim organization unaware of the activity. Attacks on routers that haven't patched for the SNMPv3 authentication flaw could easily be tracked with traps that monitor for these attacks, according to Cross.

Cross says Cisco's configuration guide for the architecture recommends that network administrators enable SNMP trap notifications to detect potential threats on SNMPv3 authentication, and it "implies" that traps will be sent for packets that carry an incorrect authentication key or any other packet that isn't part of the approved access list.

"I tested this, and there were no authentication traps. So I sent this to Cisco and said it didn't work," Cross says. "Cisco said the implementation was right, but the documentation was wrong [and rewrote the documentation]. So now it no longer says traps are generated.

"But a network administrator would want to know if his network was under attack."

Cross' recommendations to Cisco and the IETF include using a different port for surveillance, such as SNMP over TCP, which would be less prone to spoofing, limiting the addresses for the output stream, and moving notification control into the router configuration so that network administrators won't be able to monitor surveillance or interfere with it.

ISPs in their deployments for law-enforcement surveillance should not only patch for the SNMPv3 flaw, but also use encryption -- namely IPSec encryption, Cross says. Assigning user-group IP access control lists can help seal the authorized user of the lawful intercept action to the proper mediation device, he says. "Also, build out-of-band management networks," he says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2963
Published: 2014-07-10
Multiple cross-site scripting (XSS) vulnerabilities in group/control_panel/manage in Liferay Portal 6.1.2 CE GA3, 6.1.X EE, and 6.2.X EE allow remote attackers to inject arbitrary web script or HTML via the (1) _2_firstName, (2) _2_lastName, or (3) _2_middleName parameter.

CVE-2014-3310
Published: 2014-07-10
The File Transfer feature in WebEx Meetings Client in Cisco WebEx Meetings Server and WebEx Meeting Center does not verify that a requested file was an offered file, which allows remote attackers to read arbitrary files via a modified request, aka Bug IDs CSCup62442 and CSCup58463.

CVE-2014-3311
Published: 2014-07-10
Heap-based buffer overflow in the file-sharing feature in WebEx Meetings Client in Cisco WebEx Meetings Server and WebEx Meeting Center allows remote attackers to execute arbitrary code via crafted data, aka Bug IDs CSCup62463 and CSCup58467.

CVE-2014-3315
Published: 2014-07-10
Cross-site scripting (XSS) vulnerability in viewfilecontents.do in the Dialed Number Analyzer (DNA) component in Cisco Unified Communications Manager allows remote attackers to inject arbitrary web script or HTML via an unspecified parameter, aka Bug ID CSCup76308.

CVE-2014-3316
Published: 2014-07-10
The Multiple Analyzer in the Dialed Number Analyzer (DNA) component in Cisco Unified Communications Manager allows remote authenticated users to bypass intended upload restrictions via a crafted parameter, aka Bug ID CSCup76297.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.