IP Spoofing and Vendors' attitude

[cklaus () iss net (Christopher Klaus)]

The IP spoof problem shouldn't have been such a suprise to anyone.  It has
been known publicly known about since 1985 with several papers on the topic
available to anyone.  The papers were like telling how it would be possible
to pick the lock on every door in the world and it is more suprising that
that it took so long before someone actually started exploiting the problem.

And with this problem, it is relatively pretty simple to correct so that the
tcp's sequence numbers are not so easy to guess.  It is pretty sad that you
have to have enough hackers exploiting a problem before these security 
vulnerabilities are addressed and it is unfortunate that many vulnerabilities
are kept quiet by vendors till enough customers have been abused and someone
finally speaks out.  

But here is something I find disturbing that you may want to pursue and
correct.  I emailed most of the major Unix vendors that have this vulnerability
asking in light of the recent problems, if they were going to be providing
a patch to correct the situation and if so, how long.  There was several
types of responses.  

        In some cases, I have not received a response after
2 days so either their security-alert email alias is overloaded and taking
days or weeks to respond.  Or they haven't decided anything yet
or it is going to /dev/null, which may be the attitude of some vendors.

The typical response that I did received was that they were looking into it
and whether it was worth patching anytime soon.  One response that did almost
suprise me coming from a major vendor was that because of CERT's stance on
the problem and saying the problem could be corrected by firewalls, they
didn't feel a need to release a patch.  They also told me that IP Spoofing
only made your network slightly vulnerable.  (I am not sure what could
make your network more vulnerable, Posting every confidental file and password
from your systems to Usenet?)  

> From CERT's advisory it does not look like they are encouraging vendors to
provide any sort of patches and the only solution is to block spoofed
packets via firewall/router.  I do not know how the majority of you feel,
but I think a more complete solution is needed here, not to just rely
on firewalls and routers.  There are too many people on the net that do
not have the comforts of a firewall and even within a large organization, 
you do not want your machines vulnerable to attack from anyone else who is 
behind your firewall.   Not only that, I hope most people realize that a
firewall is not a total solution to security on the net.  It can be
in some cases detrimental due to an organization feeling all comfortable 
behind their firewall and deceive them into not applying any other security
precautions.  There have been quite a few cases where firewall security has
been by-passed and that should be a lesson to not rely on just a firewall. 

I hope that other people who rely on vendors for patches tell their own
vendor how they feel and maybe with enough response from customers,
we will see companies come forward and provide needed security patches. 
If you feel safe behind your firewall with all your machines insecure, then
you probably won't need to e-mail your vendor.  8-) Or if you rely on 
free Unixes like NetBSD, they already have a patch available. 

Obviously, the total solution will not be just with firewalls, nor patches.
Cryptography will be a large part of a total and permanent solution so that
network traffic can be properly encrypted and authenicated, but for now,
firewalls and patches can lower your risks to successful attacks a 
fairly great amount.

I have written a list of vendors and how to contact their security group and
hope that people use it to discuss with their vendors their security needs.
Hopefully we will see a vendor come forward and provide patches and the
others soon to follow, eh?  

Appended below is a list of Unix vendors.  


Vendor Contacts FAQ

Version: 2.0

This Security FAQ is a resource provided by:

     Internet Security Systems, Inc.
     2000 Miller Court West            Tel: (404) 441-4531
     Norcross, Georgia  30071          Fax: (404) 441-2431

     - Computer Security Consulting - Penetration Analysis of Networks -

    ------------------------------------------------------------------------


     "It [Vendor Security Contact FAQ] is the kind of thing that makes you
     look good at work when your boss decides he's joe security and wants
     a patch (for like rdist - duh!) yesterday..." - Tim Scanlon, System
     Analyst

Vendor Security Contacts: Reporting Vulnerabilities and Obtaining New Patches

The following FAQ is a list of security contacts to reach at various vendors
for reporting security vulnerabilities and obtaining new security related
patches.

With the rising number of people and hosts gaining access to the Internet, the
basic integrity of the Net needs to be maintained. Many of security incidents
that happen on Internet could have been avoided by installing security patches
that are available by vendors. It is important to get the recent patches and
ensure that your systems are configured properly. With intruders and their
underground network having quick access to security vulnerabilities, it is
important that administrators have security information available and not rely
on just One organization.

Here are the security contacts that information is available for:

     A/UX
     Cray Research
     Dec
     HP
     IBM
     Next
     Novell
     SCO
     SGI
     Sun

Other important security contacts included are:

     CERT Contact
     CIAC Contact

When reporting a new security bug, try to be as specific as possible about how
to reproduce it, which OS release (uname -a), and any other release numbers of
software that are involved.

    ------------------------------------------------------------------------


A/UX

Contact information for A/UX as follows:

     Send security related information to the following people:
          Erik E. Fair: fair () apple com and CC: staff () apple com

    ------------------------------------------------------------------------


Cray Research

Contact information for Cray Research as follows:

Cray Research customers should first direct questions and concerns to on-site
support personnel (if provided by their service contract). Other contacts
should be made through:

     Technical Service Center
     Cray Research, Inc.
     655F Lone Oak Drive
     Eagan MN 55121
     USA

     tel. +1-612-683-5600
     email. support () cray com

    ------------------------------------------------------------------------


DEC, Digital Equipment Corporation

Contact information for DEC is as follows:

     Send security related information to the following person:
          FIRST Contact: Rich Boren rich.boren () cxo mts dec com, (719) 592-4689

Security patches are issued by Customer Support Centers.

    ------------------------------------------------------------------------


HP, Hewlett Packard

Contact information for HP as follows:

     For security concerns, questions, or problems, you can contact:
          security-alert () hp com

Obtaining Patches:

Patches and mailing lists are available through the HP SupportLine service.
More information is available in their bulletin. The HP SupportLine mail
service is available to anyone who can send electronic mail via the Internet.

    ------------------------------------------------------------------------


IBM, International Business Machines

Contact information for IBM as follows:

     IBM support @ 1-800 237-5511
     Email to services () austin ibm com

Send security related information to Nick Trio (nrt () watson ibm com, a.k.a.
(postmaster () ibm com) Unix person on IBM's Computer Emergency Response Team) and
Alan Fedeli ( fedeli () vnet ibm com).

There are some security patches on anonymous FTP software.watson.ibm.com in
pub/aix3 for AIX.

Security patches are issued through your IBM sales office.

    ------------------------------------------------------------------------


Novell, Inc.

Contact information for Novell as follows:

      Phone number: 800-4-UNIVEL

Security patches are available from:

      Compuserve
      ftp from ftp.novell.com
      floppy from the Novell support folks

    ------------------------------------------------------------------------


NeXT

Contact information for Next as follows:

     Technical Support: ask_next () next com
     Phone number: 800.848.6398

Address:

     900 Chesapeake Drive
     Redwood City, CA 94063

    ------------------------------------------------------------------------


SCO

Contact information for The Santa Cruz Operation (SCO):

     Send security related information to: security-alert () sco com

Security patches are issued on an as-needed basis and will be available at
ftp.sco.com and its mirrors.

When submitting information about a security problem, please include output of
the following commands:

  uname -X
  swconfig
  hwconfig -h        (if hardware-related)

and as much detail about the problem as you can muster.

    ------------------------------------------------------------------------


SGI

Contact information for SGI as follows:

     Send security related information to: security-alert () sgi com
     If there is no response, try Dave Olson olson () anchor esd sgi com

     Support line: 1-800-800-4SGI and ask what patches are available.

There are some security patches on anonymous FTP sgi.com in directory
sgi/IRIX4.0 (or sgi/IRIX5.0 if the system is IRIX5).

Security patches are issued through your SGI sales office.

    ------------------------------------------------------------------------


Sun

Contact information for Sun as follows:

     email: security-alert () sun com
     phone: 415-688-9081
     Fax: 415-688-9101
     postal:

          Sun Security Coordinator
          MS MPK2-04
          2550 Garcia Avenue
          Mountain View, CA 94043-1100

For reporting security vulnerabilities and problems, Sun strongly recommends
that you report problems to your local Answer Center and your representative
computer security response team, such as CERT. In some cases your local Answer
Center will accept a report of a security bug even if you do not have a support
contract. An additional notification to the security-alert alias is suggested
but should not be used as your primary vehicle for reporting a bug.

Sun Security Bulletins

Sun Security Bulletins are available free of charge as part of our Customer
Warning System. It is not necessary to have a Sun support contract in order to
receive them.

To subscribe to this bulletin series, send mail to the address
"security-alert () Sun COM" with the subject "subscribe CWS your-mail-address" and
a message body containing affiliation and contact information. To request that
your name be removed from the mailing list, send mail to the same address with
the subject "unsubscribe CWS your-mail-address". Do not include other requests
or reports in a subscription message.

Due to the volume of subscription requests Sun receives, Sun cannot guarantee
to acknowledge requests. Please contact the security office if you wish to
verify that your subscription request was received, or if you would like your
bulletin delivered via postal mail or fax.

Sun Security Bulletins are archived on ftp.uu.net (in the same directory as the
patches) and on SunSolve. Please try these sources first before contacting the
security office for old bulletins.

    ------------------------------------------------------------------------


Other Resources

    ------------------------------------------------------------------------


CERT (Computer Emergency Response Team)

The CERT (Computer Emergency Response Team). To report a vulnerability contact
CERT at:

     E-mail: cert () cert org

Past advisories and other information related to computer security are
available for anonymous FTP from cert.org (192.88.209.5).

See the Security Resources FAQ for more information on CERT and vulnerability
reporting forms.

    ------------------------------------------------------------------------


CIAC (Computer Incident Advisory Capability)

The CIAC (Computer Incident Advisory Capability) of DoE. To report a
vulnerability, contact CIAC at

     voice: 510-422-8193
     fax: 510-423-8002
     stu-iii: 510-423-2604
     or mail ciac () llnl gov.

Previous CIAC bulletins and other information is available via anonymous ftp
from ciac.llnl.gov (ip address 128.115.51.53).

See the Security Resources FAQ for more information on CIAC advisories and
mailing lists.

    ------------------------------------------------------------------------


Acknowledgements

Thanks go to the following people for providing new or updated information to
be included in this FAQ:

     Dave Millar for helping provide a portion of the information.
     Steve Cooper, spcooper () llnl gov

    ------------------------------------------------------------------------


Copyright

This paper is Copyright (c) 1994, 1995
   by Christopher Klaus of Internet Security Systems, Inc.

Permission is hereby granted to give away free copies electronically. You may
distribute, transfer, or spread this paper electronically. You may not pretend
that you wrote it. This copyright notice must be maintained in any copy made.
If you wish to reprint the whole or any part of this paper in any other medium
excluding electronic medium, please ask the author for permission.

Disclaimer

The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are NO
warranties with regard to this information. In no event shall the author be
liable for any damages whatsoever arising out of or in connection with the use
or spread of this information. Any use of this information is at the user's own
risk.

Address of Author

Please send suggestions, updates, and comments to:
Christopher Klaus <cklaus () iss net> of 
Internet Security Systems, Inc.
<iss () iss net>





-- 
Christopher William Klaus       Voice: (404)441-2531. Fax: (404)441-2431
Internet Security Systems, Inc.         Computer Security Consulting
2000 Miller Court West, Norcross, GA 30071