RE: [VulnWatch] NMRC Advisory - KeyManager Issue in ISS RealSecur e on Nokia Appliances

From: Rouland, Chris (ISSAtlanta) (CRouland@iss.net)
Date: 03/21/02


From: "Rouland, Chris (ISSAtlanta)" <CRouland@iss.net>
To: bugtraq@securityfocus.com, vulnwatch@vulnwatch.org, focus-ids@securityfocus.com
Date: Thu, 21 Mar 2002 16:38:22 -0500

Mr. Hellnbak has not proven the exploit legitimate, but rather has
successfully tested a feature which allows for a fresh install to be easily
managed.

There is a feature called "allow first connection" on Nokia which allows for
the very first connection to be connected and get it's keys imported. It
can be disabled by any customer who finds that scary, but most do not. The
person setting up the box is always the first one to connect, and after that
only people with authentication keys can connect. If the attacker had
supreme timing and connected in the interval that the software was installed
and before it was managed, the person who set this up in the first place
would get refused access and figure out what was happening. The reason why
we added such a feature was to improve OOB with Nokia because there no easy
way to get the initial public keys installed.

If the feature is disabled OR if a legitimate administrator has simply
connected at least once, the errant "skank" entry will be useless. At such
point, starscream_skank would be refused a connection to the issDaemon for
lack of public keys, that is unless they gain root or convince the real
administrator to push the pubkey on their behalf.

Also, we've had this impotent entry removed for months now.

It's unfortunate that some security professionals still do not take the time
to work through these issues with vendors through responsible vulnerability
disclosure. In an asynchronous advisory from NMRC such as this,
disinformation like this causes a lot of confusion to the end user, who we
are all trying to protect.

-----Original Message-----
From: hellNbak [mailto:hellnbak@nmrc.org]
Sent: Thursday, March 21, 2002 1:00 PM
To: Rouland, Chris (ISSAtlanta)
Cc: nmrcfolk@nmrc.org; bugtraq@securityfocus.com; vulnwatch@vulnwatch.org;
focus-ids@securityfocus.com
Subject: RE: [VulnWatch] NMRC Advisory - KeyManager Issue in ISS RealSecur e
on Nokia Appliances

On Thu, 21 Mar 2002, Rouland, Chris (ISSAtlanta) wrote:
>
> Please confirm that you are able to exploit this, without root accesss
> to the IPSO box.

Chris, if I set up my own console, why would I need root access to the IPSO
box? If I simply set my machine name to starscream and my user to skank I
am able to connect and push new keys generated by my console.

I am unsure why you would post that "NMRC is unable to confirm that this can
be exploited" without actually talking to me first. I just tested it, a
second time, and yes, you can connect via the console and root access on the
Nokia box is not an issue. The console connects to the control chanell and
allows me to push new keys down using the deployment wizard which then
allows me to set my new console as the "master controller" and gather
alerts, modify policied etc...