SUNNYVALE, CALIF. (03/03/2000) - A security problem has cropped up in Foundry Networks Inc.'s ServerIron switches that make the devices susceptible to denial-of-service attacks.
According to an advisory posted on the BUGTRAQ mailing list, Foundry's implementation of TCP/IP lets attackers easily predict the sequence of data streams and spoof or hijack sessions. By spoofing sessions, attackers can flood ServerIron switches and attached servers with bogus data, thereby denying service to legitimate traffic.
BUGTRAQ is an independent mailing list in which users discuss security and quality issues. ServerIron switches are used to balance traffic loads between Web servers.
According to the advisory, ServerIron is vulnerable because its management IP address exposes the product's "rather poor" TCP/IP implementation.
"The predictability exposes sideband information about when the switch is being used by other [possibly legitimate] users," the advisory states.
The advisory was posted by Andrew van der Stock, security architect for e-Secure in St. Leonards, Australia. He declined to comment further on his post. As a workaround, his advisory suggests users filter off telnet, HTTP and SNMP access to the Foundry devices to only trusted management IP addresses.
"Better yet," the advisory states, "disable SNMP and the Web interface and completely filter off telnet access. Remote management access is then only available via serial console."
Foundry's workaround: Apply the fix posted on its Web site late last week at www.foundry net.com/bugTraq.html.
Foundry says it has not received any reports from customers who have been hit with denial-of-service attacks due to the glitch. Some Foundry users contacted by Network World last week concurred, but were taking precautions nonetheless.
"I'm dealing with my contacts at Foundry to discuss what they're doing about it and what the potential side effects are," says Yoshio Kurtz, director of development at Proflowers. com. "I'm concerned about it, but if I knew everything that could be wrong with my car, I'd be concerned about that, too."
Stefan Silverman, master technologist at e-business integrator Scient in San Francisco, says the advisory is an over-reaction. "The exposure of the management interface or telnet interface to the entire world is the default configuration of every router or switch I've ever used. It's a much wider problem than just Foundry." Silverman was prompted by Foundry to call Network World.