Everhart,Glenn From: Secure Networks Inc. [sni@SECURENETWORKS.COM] Sent: Monday, March 16, 1998 3:50 PM To: BUGTRAQ@NETSPACE.ORG Subject: SNI-26: Ascend Router Security Issues -----BEGIN PGP SIGNED MESSAGE----- ###### ## ## ###### ## ### ## ## ###### ## # ## ## ## ## ### ## ###### . ## ## . ######. Secure Networks Inc. Security Advisory March 16, 1998 Security Issues with Ascend Routing Hardware - ----------------------------------------------------------------------------- SYNOPSIS Ascend Communications provides several popular routing and access-server solution, including the Pipeline access router and the MAX access server. Due to problems in the Ascend operating system that runs on these platforms, it is possible to deny service to networks that depend on them. Additionally, knowledge of the SNMP "write" community (which defaults to "write") enables an attacker to download the entire configuration file of the router, which contains access passwords and other sensitive information. - ----------------------------------------------------------------------------- DESCRIPTION of DENIAL OF SERVICE PROBLEM Ascend provides a configuration tool for their equipment which enables operators to reconfigure routers via a graphical interface. This tool is called the "Ascend Java Configurator". The Ascend Configurator is capable of locating Ascend routers on a network, using a special probe protocol. In order to locate Ascend routers, the Configurator broadcasts a specially formatted UDP packet to the "discard" port (port 9). Ascend routers listen for these packets and respond with another UDP packet that contains the symbolic name of the router. In this manner, the Configurator can build a list of all Ascend routers on the local network. By sending a specially formatted malformed probe packet to the discard port of an Ascend router, an attacker can cause an Ascend router to lock up. Attackers can easily discover Ascend routers to crash by sending probe packets to the discard port of arbitrary ranges of addresses; only Ascend routers will respond to them. - ----------------------------------------------------------------------------- DESCRIPTION of SNMP SECURITY ISSUE Ascend routers are manageable by the SNMP protocol. Ascend's SNMP support includes the ability to read and write MIB variables. Ascend's SNMP system is protected by the SNMP community definitions, which act as passwords for SNMP access. By default, the SNMP "read" password is "public", and the SNMP "write" password is "write". An attacker that can guess the SNMP "read" community can read arbitrary MIB variables, and an attacker that can guess the "write" community can set arbitrary MIB variables to new values. Ascend provides a vendor-specific extension MIB. This MIB includes variables specific to Ascend equipment. Among these variables is a group of settings called "sysConfigTftp", which allow the configuration of the router to be manipulated via the TFTP protocol. By writing to these variables with SNMP "set" messages, an attacker can download the entire configuration of the Ascend router. The full configuration of an Ascend router includes the telnet password (knowledge of which allows an attacker to gain telnet access to the Ascend menu interface), all the enhanced access passwords (allowing an attacker to reconfigure the router from the menu interface), network protocol authentication keys (including RADIUS and OSPF keys), usernames and passwords for incoming connections, and usernames, passwords, and dial-up phone numbers for outgoing connections. All of this information is in plaintext. An attacker with full access to an Ascend router can also use it to "sniff" the networks it is attached to. Ascend routers have an extensive (and largely undocumented) debugging interface; functions are included in this interface to obtain hexadecimal dumps of raw Ethernet, ISDN, DS1, and modem traffic. - ----------------------------------------------------------------------------- VULNERABLE SYSTEMS These issues are known to be relevant to Ascend Pipeline and MAX networking equipment. These vulnerabilities have been confirmed in Ascend's operating system at version 5.0Ap42 (MAX) and 5.0A (Pipeline). Ascend's 6.0 operating system disables SNMP "write" access by default. Previous versions of the software enable SNMP "write" access with a default community of "write". - ----------------------------------------------------------------------------- RESOLUTION The denial-of-service issue detailed in this advisory is due to an implementation flaw in Ascend's software. While no immediate fix is available, it is possible to work around this problem by filtering out packets to the UDP discard port (9). Because SNMP "write" access on an Ascend router is equivalent to complete administrative access, it is very important that the community chosen is hard to guess. Deployed Ascend equipment should be checked to ensure that default (or easily guessed) communities are not in use. The SNMP configuration of an Ascend router is available through the menuing system, as "Ethernet...Mod Config...SNMP Options...". - ----------------------------------------------------------------------------- ADDITIONAL INFORMATION These issues were identified originally by Jennifer Myers and Thomas H. Ptacek at Secure Networks, Inc. SNI thanks Kit Knox of CONNECTnet INS, Inc. for his assistance with this work. Information about Ascend Communications is available at their website at http://www.ascend.com. Products mentioned in this advisory are trademarks of Ascend. - ----------------------------------------------------------------------------- ABOUT SECURE NETWORKS, INC. Secure Networks, Inc. (SNI) is a security research and development company based in Calgary, Alberta, Canada. SNI is the largest independent source of full-disclosure security advisories and new vulnerability information in the world. For more information about this or other advisories, contact us at . A PGP key is provided if privacy is required. For the full text of this and all of SNI's other advisories, see our web page at "http://www.secnet.com/advisories/". General information about SNI is available at "http://www.secnet.com". - ----------------------------------------------------------------------------- COPYRIGHT INFORMATION he contents of this advisory are Copyright (C) 1998 Secure Networks Inc, and may be distributed freely provided that no fee is charged for distribution, and that proper credit is given. - ----------------------------------------------------------------------------- Type Bits/KeyID Date User ID pub 1024/9E55000D 1997/01/13 Secure Networks Inc. Secure Networks - - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.3ia mQCNAzLaFzIAAAEEAKsVzPR7Y6oFN5VPE/Rp6Sm82oE0y6Mkuof8QzERV6taihn5 uySb31UeNJ4l6Ud9alOPT/0YdeOO9on6eD1iU8qumFxzO3TLm8nTAdZehQSAQfoa rWmpwj7KpXN/3n+VyBWvhpBdKxe08SQN4ZjvV5HXy4YIrE5bTbgIhFKeVQANAAUR tCVTZWN1cmUgTmV0d29ya3MgSW5jLiA8c25pQHNlY25ldC5jb20+iQCVAwUQM1yd EB/bLKAOe7p9AQFptAQAiYpaZCpSmGgr05E698Z3t5r5BPAKUEtgvF53AvZUQLxz ZsYsVU5l5De0qKWJOQ/9LiDyWu1lvKhlTphbLy2RatWD4kO3oQL9v3TpSXm2WQhU uIzyZvj7S5ENodNnKn+gCDIvbou6OMot+7dRbWWgN2oabbru4CSlOxbG++yaTz+J AJUDBRAzTefbtOXez5VgyLkBAd0bA/43eGEgvPOFK+HHWCPpkSWCwtrtDU/dxOVz 9erHnT/CRxeojCI+50f71Qe+kvx9Q1odz2Jl/fLxhnPQdbPnpWblIbu4F8H+Syrj HTilDrl1DWa/nUNgK8sb27SMviELczP1a8gwA1eo5SUCG5TWLLTAzjWOgTxod2Ha OwseUHmqVIkAlQMFEDNOVsr/d6Iw8NVIbQEBxM0D/14XRfgSLwszgJcVbslMHm/B fF6tHoWYojzQle3opOuMYHNN8GsMZRkc1qQ8QuNA9Aj5+qDqEontGjV5IvhBu1fY FM77AhagskaFCZxwqV64Qrk328WDO89NGSd+RuovVNruDdn20TxNCEVuPTHjI0UA 8H+E6FW9jexg6RTHhPXYtCVTZWN1cmUgTmV0d29ya3MgPHNlY3VyaXR5QHNlY25l dC5jb20+iQCVAwUQMtqTKB/bLKAOe7p9AQFw5wQAgUwqJ+ZqfEy/lO1srU3nzxLA X0uHGHrMptRy/LFo8swD6G1TtWExUc3Yv/6g2/YK09b5WmplEJ+Q09maQIw+RU/s cIY+EsPauqIq4JTGh/Nm0Z4UDl2Y1x4GNtm0YqezxUPS0P0A3LHVLJ3Uo5og0G8O gPNrfbVz5ieT14OSCWCJAJUDBRAy2hd2/3eiMPDVSG0BAVNhBACfupfAcNhhnQaq aI03DOOiZSRjvql1xw4V+pPhM+IksdSK3YNUZVJJtANacgDhBT+jAPRaYbBWI3A5 ZMdcSNM8aTG0LWMLIOiOYEm6Lgd3idRBFN0Js08eyITl8mhZ33mDe4I0KQri9UiV ZcPYTbb9CWM6Hv2cMbt6S6kLnFziqIkAlQMFEDLaF0+4CIRSnlUADQEBCLoEAJwt UofDgvyZ4nCDx1KKAPkkXBRaPMWBp46xeTVcxaYiloZfwHfpk1h2mEJAxmAsvizl OtIppHl4isUxcGi/E2mLCLMvis22/IQP/9obPahPvgNaMLVtZljO1Nv3QFEkNciL FEUTNJHR1ko7ibCxkBs4cOpirFuvTMDvWnNaXAf8 =DchE - - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBNQ2HmbgIhFKeVQANAQHmEwP/fL4rcOIoHEkHkqE/W7FBYoU8OnJBdtjw lL2X4Gp7EJAMOQV9uSrFHhhNUTYM7FYH6NS7hR+/fz5+sd1GN/bd8jOQHnvWn0Rw 7u2y0xhd1hcMc169ASew9fsiNP38VXCeYoxCSpCu4Wd42PT8avZIbGmPR9BgnhgP dzLlygd7Hhs= =+Y/d -----END PGP SIGNATURE-----