Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

2/3/2010
01:03 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

IBM ISS Researcher Exposes Holes In Cisco's Internet Surveillance Architecture

Wiretapping architecture could be abused by individuals under surveillance and outside attackers; Cisco reviews recommended fixes

WASHINGTON, D.C. -- Black Hat DC 2010 -- An IBM ISS researcher here today revealed major security holes in a little-known wiretapping architecture for IP networks created by Cisco Systems for law enforcement. The weaknesses could result in an attacker interfering with legal surveillance or performing some unauthorized surveillance of his own.

Tom Cross, manager of X-Force Research at IBM ISS, says he first discovered the Cisco Architecture for Lawful Intercept in IP Networks, which was published as an IETF RFC in 2004, four years ago. The document, also known as IETF RFC 3924, is based on the lawful intercept architecture used by the European Telecommunications Standards Institute, and is implemented in Cisco's edge and switch routers -- the 7600, 10000, 12000, and AS5000 series products. Cross says other vendors also have deployed the architecture within their network devices.

Cross says an alleged criminal could discover that he was under law enforcement's surveillance using the current architecture, allowing him to manipulate or corrupt the information collected or to use the surveillance information for nefarious purposes.

Cisco had previously patched a SNMPv3 vulnerability in its router models used in the wiretapping architecture, but Cross says the architecture itself needs some repair, pointing out multiple weaknesses that could be exploited by attackers -- which he says he handed over to Cisco in December 2008.

Jennifer Greeson, communications director at Cisco, who was on hand at Cross' Black Hat presentation, says Cisco has been looking over his recommendations and, perhaps, how to incorporate them, she says.

"We are confident in our framework. That's why we published it: We recognize that security is very important" in this architecture, Greeson says.

Today was the first time Cross -- who says he had to put the effort on the back burner until recently due to other commitments -- has gone public with his research on the wiretapping architecture's weaknesses. Cisco's legal surveillance framework defines the architecture from which the "mediation device" remotely gathers intelligence on behalf of law enforcement from the surveillance target (someone under law enforcement investigation). Vendors such as Digivox, NICE Systems, Verint, and Utimaco make these systems. "The mediation device is the heart of the architecture," Cross says. "It is used by the administrator to provision" the surveillance and sends instructions to the devices that perform the actual surveillance, he says. That information is then reformatted and sent directly to law enforcement, he says.

Cross listed six weaknesses in Cisco's architecture that could lead to security breaches in surveillance: SNMPv3's susceptibility to brute-force credential discovery; password vulnerability in SNMPv3; lack of audit trails; the surveillance output stream's flexibility; the interface's vulnerability to packet-spoofing; and that the RFC doesn't require encryption.

While Cisco has patched the SNMPv3 authentication flaws (CVE-2008-0960), that doesn't mean its customers all have deployed those patches, he warns. Router patching is a particularly onerous process that often gets superseded by operational disruption concerns.

Even so, Cross says the biggest issues are architectural ones that must be fixed by Cisco and the IETF. "These are harder problems that require more thought," he says.

"My greatest concern is the lack of audit trails," he says. An attacker can "turn off" the audit trail, for instance, leaving the victim organization unaware of the activity. Attacks on routers that haven't patched for the SNMPv3 authentication flaw could easily be tracked with traps that monitor for these attacks, according to Cross.

Cross says Cisco's configuration guide for the architecture recommends that network administrators enable SNMP trap notifications to detect potential threats on SNMPv3 authentication, and it "implies" that traps will be sent for packets that carry an incorrect authentication key or any other packet that isn't part of the approved access list.

"I tested this, and there were no authentication traps. So I sent this to Cisco and said it didn't work," Cross says. "Cisco said the implementation was right, but the documentation was wrong [and rewrote the documentation]. So now it no longer says traps are generated.

"But a network administrator would want to know if his network was under attack."

Cross' recommendations to Cisco and the IETF include using a different port for surveillance, such as SNMP over TCP, which would be less prone to spoofing, limiting the addresses for the output stream, and moving notification control into the router configuration so that network administrators won't be able to monitor surveillance or interfere with it.

ISPs in their deployments for law-enforcement surveillance should not only patch for the SNMPv3 flaw, but also use encryption -- namely IPSec encryption, Cross says. Assigning user-group IP access control lists can help seal the authorized user of the lawful intercept action to the proper mediation device, he says. "Also, build out-of-band management networks," he says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-3154
PUBLISHED: 2020-01-27
CRLF injection vulnerability in Zend\Mail (Zend_Mail) in Zend Framework before 1.12.12, 2.x before 2.3.8, and 2.4.x before 2.4.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in the header of an email.
CVE-2019-17190
PUBLISHED: 2020-01-27
A Local Privilege Escalation issue was discovered in Avast Secure Browser 76.0.1659.101. The vulnerability is due to an insecure ACL set by the AvastBrowserUpdate.exe (which is running as NT AUTHORITY\SYSTEM) when AvastSecureBrowser.exe checks for new updates. When the update check is triggered, the...
CVE-2014-8161
PUBLISHED: 2020-01-27
PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1 allows remote authenticated users to obtain sensitive column values by triggering constraint violation and then reading the error message.
CVE-2014-9481
PUBLISHED: 2020-01-27
The Scribunto extension for MediaWiki allows remote attackers to obtain the rollback token and possibly other sensitive information via a crafted module, related to unstripping special page HTML.
CVE-2015-0241
PUBLISHED: 2020-01-27
The to_char function in PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1 allows remote authenticated users to cause a denial of service (crash) or possibly execute arbitrary code via a (1) large number of digits when processing a numeric ...