Phenoelit Advisory 0815 ++ -- Brick

From: kim0 (kim0@phenoelit.de)
Date: 07/27/02 

Date: Sat, 27 Jul 2002 12:17:45 +0200
From: kim0 <kim0@phenoelit.de>
To: darklab@darklab.org, bugtraq@securityfocus.com, vuln-dev@securityfocus.com




-- 
            kim0   <kim0@phenoelit.de>
        Phenoelit (http://www.phenoelit.de)
90C0 969C EC71 01DC 36A0  FBEF 2D72 33C0 77FC CD42

Phenoelit Advisory <wir-haben-auch-mal-was-gefunden #0815 ++->

[ Authors ]
        FX <fx@phenoelit.de>
        kim0 <kim0@phenoelit.de>

        Phenoelit Group (http://www.phenoelit.de)
        http://www.phenoelit.de/stuff/Lucent_Brick.txt

[ Affected Products ]
        Lucent
                        LSMS 5.5 (Lucent Brick, Bridging VPN Firewall)

        Lucent Bug ID: Not assigned

[ Vendor communication ]
        06/28/02 Reply to inquiry regarding "who to notify"
        06/29/02 Initial Notification to Brick team
                        *Note-Initial notification by phenoelit
                        includes a cc to cert@cert.org by default
        07/02/02 Ack. of receipt by Lucent Brick team
        07/06/02 Weekly follow-up by central POC at
                        Lucent (Right on Time)
        07/08/02 Additional tech-discussions
        07/19/02 Notification of intent to post publically
                        in apx. 7 days.
        07/25/02 Notification that due to personnel changes at Lucent,
                        our POC has changed. The new person is supposed to be
                        contacting us...

[ Overview ]
        The Lucent Brick VPN Firewall is a layer 2, NCSA, US Army, and
        US National Security Agency (NSA) Approved/Certified Firewall that
        operates on Inferno, an Embdedded Operating System. "Brick" devices
        come in many sizes from the SOHO Brick 20 to the Enterprise 1000(GiG).
        
[ Description ]
        The Brick suffers from several design failures in handling of the ARP
        protocol.

        1. It is possible to interrupt any connection between the Brick and
        critical devices such as the LSMS (Brick Management Server) by
        binding the IP Address of the device in question to the attackers
        interface and "pinging" the Brick or any address behind it. The Brick
        will immediately update its ARP cache and drop the connection, no matter
        where the attacker is located (internal/outside segment). This
        requires the "Floating MAC" setting to be turned on.

        2. The Brick will forward any ARP request and response across all
        interfaces, regardless of the existing firewall rules.

        3. All Bricks are identifiable during reconnaissance using the most
        basic of techniques (pinging all addresses in segment). The device
        that sends ARP requests for the attacker IP address is the Brick.

[ Example ]
        1. # man ping
        2. # man arp
        3. # for i in ´cat ipaddresses.txt´; do ping $i; done

[ Solution ]
        None known at this time.

[ end of file ]