Patching the Net's Fatal Flaws

[InfoSec News <isn () c4i org>]

Forwarded from: bob <bob () globaldevelopment org>

http://www.businessweek.com/bwdaily/dnflash/feb2002/nf20020220_5030.htm

FEBRUARY 20, 2002
SECURITY NET
By Alex Salkever

Patching the Net's Fatal Flaws

Recent research finds major holes in one of the Web's basic protocols.
And if they aren't fixed, the consequences could be devastating

Before the Web, computer viruses depended on the lowly floppy disk as
their sole means of transmission. Now, thanks to widespread broadband
connectivity, computer viruses can blossom into huge epidemics in no
time, crashing networks and overwhelming IT staffs. So-called "worms"
clog the Web with random scans, searching for vulnerable systems to
corrupt or co-opt, tearing across the digital landscape in a matter of
days or even hours. New hybrid worm-viruses, such as "Code Red,"  are
even more insidious, using both e-mail and direct scans to spread
their bandwidth-hogging packages to deface Web pages or erase critical
files.

So far, the scope of most of these attacks has been rather limited.
That's not to say large chunks of the computing world haven't been
affected. The "Love Bug" virus hit machines running Microsoft e-mail
clients, potentially targeting 95% of the world's desktop computers.
The "Ramen" worm tagged thousands of computers running Linux. The
"Code Red" worm affected Microsoft's widely installed IIS Web-server
software. But in the grand scope of the Net, these attacks and most
others cut a relatively confined swathe.

That reality may have changed on Feb. 12, when Oulu University's
Secure Programming Group in Finland published a paper outlining major
flaws in Simple Network Management Protocol. SNMP is a set of rules
that allows computers and wired devices to communicate with each other
via a common syntax of shared data-compression standards, among other
technical minutiae.

PERILS OF UBIQUITY.  It's also one of the most widely used data
protocols. You can find it on diverse operating systems and classes of
devices, from Dell desktops to Cisco routers to Sun workstations. "You
look at SNMP, and it's ubiquitous. It's on backbone routers. It's on
switches. It's on desktops. It's on servers. It's on every single
platform," says Stuart McClure, president and chief technology officer
of security consultancy and software company Foundstone.

That ubiquity raises the specter of a massive vulnerability on the Net
and larger questions about the relative safety of the common protocols
that create a seamless system of data sharing. Many experts now say
its time to shore up these protocols and ensure they are safe. The
alternative could be wide-ranging and extremely damaging Internet
attacks in the future. "We need to do this with all protocols. We also
need to establish some sort of standardization which tells management
quickly and simply whether or not they are employing any obviously
insecure protocols," says Russ Cooper, an engineer with
computer-security provider TruSecure and an expert on Microsoft NT
security issues.

SNMP is only one of a handful of ubiquitous protocols. Others include
TCP/IP, the basic data protocol that enables computers to transport
and receive information over the Web, and UDP, a basic protocol used
to identify remotely which applications are running on a system. These
protocols are designed to work across platforms. Whether you use a Mac
or an IBM mainframe, TCP/IP is pretty much standard.

DROP THE NET?  Most of these protocols are based on architectures from
the early days of the Internet, when security was hardly a concern
amongst the small community of scientists and academicians that
peopled the early Web. Since they were designed more to facilitate
communication than maximize security, critics have long held that
these protocols are the soft underbelly of the Net.

That was precisely the assumption of the Oulu University group when
they set out on a project to poke holes in these standards.  
Naturally, they decided to take a whack at SNMP. So they tested 12
separate Internet devices by flooding them with SNMP requests far in
excess of what would normally occur on a network.

Not a single one of the devices emerged unscathed. The researchers
were able to crash them and, in some cases, break into them and
remotely take control of the devices.

The implications of these findings are staggering. While the test
group only represented a small sample of the thousands of types of
systems that connect to the Net, the results implied that SNMP
weakness might well be as ubiquitous as the protocol itself. "It
affects hundreds of different types of computers and network
equipment. A large-scale attack against this vulnerability could drop
the Internet," says Bruce Schneier, chief technology officer of
Counterpane Internet Security.

SPINAL TAP.  Others see a possible outcome nearly as chilling were
someone to use the SNMP weakness to take control of the backbone
routers that guide the huge flow of data over fiber-optic networks.
They could then theoretically direct masses of data into black holes,
or redirect surfers to some other site instead of their intended
target.

"Once you actually control a piece of the infrastructure, you have
quite a bit more capability and power. No longer are you limited to
controlling a single host. You can take an entire worldwide enterprise
off the network," says Craig Labovitz, director of network
architecture at Arbor Networks, a Waltham, Mass., company that builds
equipment to stop the "Denial of Service"  attacks that can cut off
public access to Web sites under an avalanche of bogus data requests.

Ironically, vendors have known that SNMP was not safe since last
summer. The release of the Oulu paper, however, sealed any doubts
about the urgency of creating patches for SNMP on various platforms
and software systems. Currently vendors and IT staffs alike are
scrambling to make sure that their networks are SNMP safe, top to
bottom. Vendors have been pretty good about supplying patches for the
SNMP hole since the research results were announced on Feb. 12. Still,
they didn't seem so concerned last summer.

FOUNDATION OF SAND.  So far, the fallout has been minimal. Major
attacks using the SNMP hole have failed to materialize. That doesn't
mean they won't happen, though. In fact, the National Infrastructure
Protection Center and the CERT Response Center, two of the premier
Federally-funded computer-security watchdogs, are already warning
about automated software tools that prey on the SNMP hole.

That might be jumping the gun. But vendors and network engineers had
better address this problem -- and soon. If they don't, these cracks
in the foundations of Net architecture could indeed bring the whole
zstructure down.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.