Full Disclosure mailing list archives
Re: Drive-by Pharming
From: "Dario Ciccarone \(dciccaro\)" <dciccaro () cisco com>
Date: Fri, 16 Feb 2007 13:15:00 -0500
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Larry:
Thanks for contacting us regarding this issue.
Cisco's Product Security Incident Response Team (PSIRT) is a
dedicated, global team that manages the receipt, investigation,
and public reporting of security vulnerability-related
information, related to Cisco products and networks. The on-call
PSIRT team works 24x7 with Cisco customers, independent security
researchers, consultants, industry organizations, and other
vendors to identify possible security issues with Cisco products
and networks.
Linksys is, indeed, a division of Cisco Systems - but the Cisco
PSIRT does not handle security issues on Linksys products.
Linksys customers should contact Linksys technical support via
their normal channels.
Thanks,
Dario
Dario Ciccarone <dciccaro () cisco com>
Incident Manager - CCIE #10395
Product Security Incident Response Team (PSIRT)
Cisco Systems, Inc.
PGP Key ID: 0xBA1AE0F0
http://www.cisco.com/go/psirt
-----Original Message----- From: Larry Seltzer [mailto:Larry () larryseltzer com] Sent: Friday, February 16, 2007 11:12 AM To: full-disclosure () lists grok org uk Cc: psirt (mailer list) Subject: RE: [Full-disclosure] Drive-by Pharming This "response" doesn't seem to address any Linksys (and therefore Cisco) routers, does it? Larry Seltzer eWEEK.com Security Center Editor http://security.eweek.com/ http://blog.eweek.com/blogs/larry%5Fseltzer/ Contributing Editor, PC Magazine larryseltzer () ziffdavis com -----Original Message----- From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of psirt () cisco com Sent: Thursday, February 15, 2007 1:00 PM To: full-disclosure () lists grok org uk Subject: Re: [Full-disclosure] Drive-by Pharming -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cisco Security Response: Potential exploitation of default administrative credentials Response ID: cisco-sr-20070215-http http://www.cisco.com/warp/public/707/cisco-sr-20070215-http.shtml Revision: 1.0 For Public Release 2007 Feb 15 1600 UTC (GMT) - -------------------------------------------------------------- ---------- - Contents ======== Cisco Response Additional Information Revision History Cisco Security Procedures - -------------------------------------------------------------- ---------- - Cisco Response ============== This is a response to a Symantec published research paper posted on their website at: http://www.symantec.com/enterprise/security_response/weblog/20 07/02/driv eby_pharming_how_clicking_1.html and entitled 'Drive-by Pharming'. In particular, this response focuses on the information in the Symantec paper, as relevant to certain of Cisco's non-consumer products. These products are specified in the "Cisco Routers Impacted' section below. Purpose of this Response +----------------------- As the paper does not disclose any new vulnerability in Cisco products, Cisco is issuing this response and not a Security Advisory. The purpose of this response is to inform customers how to change any default credentials which may ship pre-configured on an impacted Cisco router (identified below), upon initial configuration and before the device is connected to a public network. This response is available at: http://www.cisco.com/warp/public/707/cisco-sr-20070215-http.shtml Cisco Routers Impacted +--------------------- Several types of Cisco routers that are marketed for the Small Office/ Home Office (SOHO), Remote Office/Branch Office (ROBO) and Teleworker business segments may include either Cisco Router Web Setup tool (CRWS) or Cisco Router and Security Device Manager (SDM), which are web-based device-management tools for Cisco IOS Software-based routers. Those Cisco routers have the Cisco IOS HTTP server enabled by default, to allow CRWS or SDM to communicate with the router. With either CRWS or SDM installed at shipping, the routers configuration will have a default username and password that is used to access the router via the HTTP web interface. The following Cisco routers, whose configurations have been based on the default IOS configuration shipped with any version of CRWS prior to version 3.3.0 build 31, may be affected by this attack methodology if the default username and password have not been removed: * Cisco 806 * Cisco 826 * Cisco 827 * Cisco 827H * Cisco 827-4v * Cisco 828 * Cisco 831 * Cisco 836 * Cisco 837 * Cisco SOHO 71 * Cisco SOHO 76 * Cisco SOHO 77 * Cisco SOHO 77H * Cisco SOHO 78 * Cisco SOHO 91 * Cisco SOHO 96 * Cisco SOHO 97 The following Cisco routers, whose configurations have been based on the default IOS configuration shipped with any version of SDM prior to version 2.3.3, may be affected by this attack methodology if the default username and password have not been removed. For details regarding which units have SDM default configurations enabled at shipping, please consult Table 4: 'Ordering and Factory Shipping Options for Cisco SDM' at: http://www.cisco.com/en/US/products/sw/secursw/ps5318/products _data_shee t0900aecd800fd118.html +------------------------------------------------------------- ---------- + | Cisco SDM-Supported Routers | Cisco SDM-Supported Cisco IOS Releases | +------------------------------+------------------------------ ---------- + | Cisco SB101 | | | Cisco SB106 | 12.3(8)YG, 12.4(2)T or later releases | | Cisco SB107 | | +------------------------------+------------------------------ ---------- + | | 12.2(13)ZH or later releases | | Cisco 831 | 12.3(2)XA or later releases | | Cisco 837 | 12.3(2)T or later releases | | | 12.4(2)T or later releases | +------------------------------+------------------------------ ---------- + | | 12.2(13)ZH or later releases | | | 12.3(2)XA or later releases | | Cisco 836 | 12.3(4)T or later releases | | | 12.4(2)T or later releases | +------------------------------+------------------------------ ---------- + | Cisco 851 | 12.3(8)YI | | Cisco 857 | 12.4(2)T or later releases | +------------------------------+------------------------------ ---------- + | Cisco 871 | | | Cisco 876 | 12.3(8)YI | | Cisco 877 | 12.4(2)T or later releases | | Cisco 878 | | +------------------------------------------------------------- ---------- + | | 12.2(13)ZH or later releases | | | 12.3(2)XA or later releases | | | (Cisco SDM does not support Cisco IOS | | Cisco 1701 | release 12.3(2)XF.) | | | | | | 12.3(4)T or later releases | | | 12.4(2)T or later releases | +------------------------------+------------------------------ ---------- + | | 12.2(15)ZL or later releases | | Cisco 1711 | 12.3(2)XA or later releases | | Cisco 1712 | (Cisco SDM does not support Cisco IOS | | | release 12.3(2)XF.) | | | 12.4(2)T or later releases | +------------------------------+------------------------------ ---------- + | | 12.2(13)ZH or later releases | | | 12.3(2)XA or later releases | | Cisco 1710 | (Cisco SDM does not support Cisco IOS | | Cisco 1721 | release 12.3(2)XF.) | | Cisco 1751 | 12.2(13)T3 or later releases | | Cisco 1751-v | 12.3(2)T or later releases | | Cisco 1760 | 12.3(1)M or later releases | | Cisco 1760-v | 12.2(15)ZJ3 (not available for the | | | Cisco 1710 or Cisco 1721) | | | 12.4(2)T or later releases | +------------------------------------------------------------- ---------- + | Cisco 1801 | | | Cisco 1802 | 12.3(8)YI | | Cisco 1803 | 12.4(2)T or later releases | | Cisco 1811 | | +------------------------------+------------------------------ ---------- + | Cisco 1812 | 12.3(8)YH or later releases | | | 12.4(2)T or later releases | +------------------------------+------------------------------ ---------- + | Cisco 1841 | 12.3(8)T4 or later releases | | | 12.4(2)T or later releases | +------------------------------+------------------------------ ---------- + | Cisco 2610XM | | | Cisco 2611XM | 12.2(11)T6 or later releases | | Cisco 2620XM | 12.3(2)T or later releases | | Cisco 2621XM | 12.3(1)M or later releases | | Cisco 2650XM | 12.3(4)XD | | Cisco 2651XM | 12.2(15)ZJ3 | | Cisco 2691 | 12.4(2)T or later releases | +------------------------------+------------------------------ ---------- + | Cisco 2801 | | | Cisco 2811 | 12.3(8)T4 or later releases | | Cisco 2821 | 12.4(2)T or later releases | | Cisco 2851 | | +------------------------------+------------------------------ ---------- + | | 12.2(11)T6 or later releases | | | 12.2(11)T6 or later releases | | Cisco 3640 | 12.3(2)T or later releases | | Cisco 3661 | 12.3(1)M or later releases | | Cisco 3662 | 12.3(4)XD | | | 12.2(15)ZJ3 | | | 12.4(2)T or later releases | +------------------------------+------------------------------ ---------- + | Cisco 3620 | 12.2(11)T6 or later releases | | | 12.3(1)M or later releases | +------------------------------+------------------------------ ---------- + | | 12.2(13)T3 or later releases | | | 12.3(2)T or later releases | | | 12.3(1)M or later releases | | Cisco 3640A | 12.3(4)XD | | | 12.2(15)ZJ3 | | | 12.4(2)T or later releases | +------------------------------+------------------------------ ---------- + | | 12.2(11)T6 or later releases | | | 12.3(2)T or later releases | | Cisco 3725 | 12.3(1)M or later releases | | Cisco 3745 | 12.3(4)XD | | | 12.2(15)ZJ3 | | | 12.4(2)T or later releases | +------------------------------+------------------------------ ---------- + | Cisco 3825 | 12.3(11)T or later releases | | Cisco 3845 | 12.4(2)T or later releases | +------------------------------+------------------------------ ---------- + | | 12.3(2)T or later releases | | Cisco 7204VXR | 12.3(1)M or later releases | | Cisco 7206VXR | 12.4(2)T or later releases | | | Cisco SDM does not support B, E, or | | | S train releases on the Cisco 7000 | | | routers. | +------------------------------+------------------------------ ---------- + | | 12.3(2)T or later releases | | | 12.3(3)M or later releases | | Cisco 7301 | 12.4(2)T or later releases | | | Cisco SDM does not support B, E, or | | | S train releases on the Cisco 7000 | | | routers. | +------------------------------+------------------------------ ---------- + Any of the previously listed Cisco routers whose IOS configuration is not based on the default IOS configuration shipped with either the CRWS or SDM application are not affected by this attack methodology. Additional Information ====================== The Cisco IOS HTTP server is enabled by default on several Cisco IOS devices for use with web-based configuration tools such as CRWS or SDM. If those products are configured via either CRWS or SDM, administrators will be prompted to change the default administrative credentials when they try to configure the device for the first time (earlier versions of CRWS did NOT request the changing of default credentials. For details see: http://www.cisco.com/warp/public/707/cisco-sa-20060712-crws.shtml). If the device first-time configuration is done using the command line interface (CLI) and not through the web-based interface, the administrator will NOT be prompted to change the default credentials nor will they be removed automatically by the device itself. Not changing or removing the default credentials leaves the device open to potential exploitation, as described in Symantec's research paper. Cisco introduced a new security feature via Cisco Bug ID: CSCse65910, per which Cisco IOS has added a new keyword 'one-time' to the usernames. User credentials configured on the device and using the 'one-time' option can only be used once when the user connects to the router through a virtual terminal (vty) line or Console port. Cisco IOS will remove this credential from the running configuration after the initial use. The administrator of the device, should then add a username with a privilege level of 15 using the following command: username 'myuser' privilege 15 secret 0 'mypassword' Replace 'myuser' and 'mypassword' with the username and password you want to use, and save the changes to the startup configuration. SDM takes advantage of this Cisco IOS feature from SDM version 2.3.3 or later. This feature is documented on Cisco Bug Toolkit as Cisco Bug ID: CSCek35024. Cisco encourages customers to change any default credentials being used by those device managers during first use. Recommended Workarounds ======================= To help mitigate the risks associated with the type of attack presented in the Symantec paper, Cisco recommends that any default credentials shipped with the device (username/password combinations) be completely removed. If the Cisco router is not configured nor monitored by either SDM or CRWS, and if the IOS HTTP server is not required in your environment, it should be disabled. Additional mitigations that can be deployed on Cisco devices within the network are available in the Cisco Applied Intelligence companion document for this response: http://www.cisco.com/warp/public/707/cisco-air-20070215-http.shtml * Workaround 1 - Disabling the Cisco IOS HTTP Server Functionality Customers who do not use the CRWS or SDM application device-management tools and not requiring the functionality provided by the Cisco IOS HTTP server can disable it by adding the following commands to their device configuration: no ip http server no ip http secure-server The second command might return an error message if the Cisco IOS version installed and running on the device does not support the SSL functionality. This error message is harmless and can be safely ignored. * Workaround 2 - Enabling Authentication of Requests to the Cisco IOS HTTP Server by Configuring an Enable Password Customers who are using the CRWS or SDM applications device-management tools, or requiring the functionality provided by the Cisco IOS HTTP server should configure an authentication mechanism for access to the Cisco IOS HTTP server interface. One option is to configure an enable secret or enable password. The enable password is the default authentication mechanism used by the Cisco IOS HTTP server if no other method has been configured. To configure authentication of the http access via the enable secret password, add the following commands to the device configuration: enable secret 'mypassword' ip http authentication enable Replace 'mypassword' with a strong password of your choosing. For guidance on strong passwords, please refer to your site security policy. The document entitled 'Cisco IOS Password Encryption Facts' available at http://www.cisco.com/en/US/tech/tk59/technologies_tech_note091 86a00801d7 efa.shtml, explains the differences between the enable secret and the enable password commands. * Workaround 3 - Enabling Authentication of Requests to the Cisco IOS HTTP Server by using an Authentication Mechanism Other than the Default Instead of configuring authentication using the default method as described in Workaround 2, configure an authentication mechanism for access to the Cisco IOS HTTP server via other mechanisms. Such authentication mechanisms can be the local user database, or a previously defined Authentication, Authorization and Accounting (AAA) method. As the procedure to enable an authentication mechanism for the Cisco IOS HTTP server varies across Cisco IOS releases and other additional factors, no example will be provided. Customers looking for information about how to configure an authentication mechanism for the Cisco IOS HTTP server are encouraged to read the document entitled 'AAA Control of the IOS HTTP Server', available at http://www.cisco.com/en/US/tech/tk59/technologies_tech_note091 86a008069b dc5.shtml. Note: The only authentication method tested and supported for use with the CRWS application is the local user database. No other methods (including the use of an external RADIUS or TACACS+ server) are supported. References ========== * Definition of Pharming The definition of pharming from: http://www.cisco.com/web/about/security/intelligence/mysdn-soc ial-engine ering.html is shown below: Pharming also takes advantage of false websites, by redirecting users to the false site as they attempt to access a legitimate website. This redirection, also known as domain spoofing, can be perpetrated through an e-mailed virus that lies dormant on a PC until the user enters a specific URL, or by poisoning a domain name system (DNS) directory. A DNS translates web and e-mail addresses into numeric strings. In a poisoned DNS, the links that associate web addresses with numeric strings are changed so users are directed to a false website when they enter a specific URL. Any secure information entered into the false website, such as a user name and password, is captured by hackers. * Improving Security on Cisco Routers The document http://www.cisco.com/warp/public/707/21.html is an informal discussion of some Cisco configuration settings that network administrators should consider changing on their routers, especially on their border routers, in order to improve security. THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. Revision History ================ +------------------------------------------------------------- ---------- + | Revision 1.0 | 2007-FEB-15 | Initial Initial public release. | +------------------------------------------------------------- ---------- + Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerab ility_poli cy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (SunOS) iD8DBQFF1Jxb8NUAbBmDaxQRAiOPAJ9om3FONUlIC7tINLCrfVFELSb6+QCeLjYd g+mReh7B0gZpdYjIzZs+uKo= =pFEo -----END PGP SIGNATURE----- _______________________________________________Full-Disclosure - We believe in it.Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
-----BEGIN PGP SIGNATURE----- Version: PGP 8.1 iQA/AwUBRdX0pIyVGB+6GuDwEQLhDwCgjbixfM+b94Y2o2tjeYcjfFWotgUAn0f1 HC07HEsqKsTJ/nusO/rHN+qz =yXSW -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Drive-by Pharming Oliver Friedrichs (Feb 15)
- Re: Drive-by Pharming James Matthews (Feb 16)
- Re: Drive-by Pharming Knud Erik Højgaard (Feb 16)
- Re: Drive-by Pharming McCarty, Eric C. (Feb 16)
- Re: Drive-by Pharming Knud Erik Højgaard (Feb 16)
- <Possible follow-ups>
- Re: Drive-by Pharming psirt (Feb 16)
- Re: Drive-by Pharming Brian Eaton (Feb 16)
- Re: Drive-by Pharming Larry Seltzer (Feb 16)
- Re: Drive-by Pharming Dario Ciccarone (dciccaro) (Feb 16)
- Re: Drive-by Pharming Fabian (Lists) (Feb 16)
- Re: Drive-by Pharming pagvac (Feb 17)
- Re: [inbox] Re: Drive-by Pharming Exibar (Feb 18)
- Re: Drive-by Pharming James Matthews (Feb 16)