Security flaw threatens to tie up Net sites
- 14 February, 2002 13:40
A security flaw threatening much of the Internet's network devices has put local system administrators into action mode.
The flaw, which could allow hackers to shut down or gain control of network devices, poses a serious problem for ISPs that use routers to manage the flow of messages across computer networks and the Internet, according to a warning from the US-based SANS (System Administration, Networking, and Security) Institute.
An alert issued by AusCert (Australian Computer Emergency Response Team), and other Cert bodies, advises administrators to act quickly to apply available patches. Local systems administrators of telcos and ISPs have been hurrying to secure their systems since the alert.
However, an anonymous systems administrator of a large telco said he can't just patch, because it involves rebooting boxes and routers, resulting in taking down much of the Internet in Australia.
Instead, it will take his team more than three days work to finish checking Firewall rule sets and make sure all the Unix and Windows boxes can't be hit from the outside.
For the routers, the telco has also been working with Cisco to get the problem resolved without upgrading.
"I'm not sure of the full consequences as I've yet to see the exploit, but telcos have to be sure to cover themselves as we are beholden to the Telecommunications Act. Management, up to director level, has been briefed," he said.
Although there has been no impact yet, the administrator said, "In theory all you'd have to do is take out a few key routers and DNS servers and you'd cause absolute havoc, so it was important to have this covered."
John Edwards, a systems administrator from Adam Internet, said, "It's good security practice not to allow anyone outside your network to find information via SNMP. As such, all of our routers and switches are currently protected and we can examine the vulnerability at our leisure.
"With respect to network security, anyone who isn't paranoid about new exploits won't last long. Well secured networks don't have much to worry about, since their SNMP servers will be unreachable from the Internet," Edwards said.
While the SANS Institute warns that ISPs that don't act will risk having their routers go down, Edwards said this is a bit over the top.
"An ISP or one of its customers needs to get someone's attention to be the target of a DoS (denial of service) [attack]. I don't recall this seriously affecting an Australian ISP."
According to Edwards, an attacker could be alerted to vulnerable systems because an interface access control list (ACL) -- a device which stops packets from reaching the network - may show an attacker that an SNMP port is blocked. An ACL is put into a Cisco router to block access to particular resources.
"Blocking packets at the interface can alert a hacker that a system has been protected. If the packets are dropped on the device itself, it can return a 'connection refused' type message that behaves as if the SNMP service doesn't exist," he said. "On the Ciscos [routers] you can place an ACL on the SNMP server itself, which makes it behave -- to those not allowed -- as if the SNMP server isn't running," Edwards said.
Simon Hacket, managing director of Internode, said, "A good ISP should already have an ACL in its network. If people make an attempt to see if an SNMP is accessible, this barrier makes a noise to tell you about it.
"A way to think about it is you don't block what is bad. You block everything and then put holes into it to access what you need," Hackett said .
Most ISPs are finding the work-around easy, so the problem is not that great. However, ISPs are taking the issue seriously and administrators are finding their workload spiked as they furiously check firewalls and await software upgrades. Administrators of larger ISPs and telcos are the most seriously impacted.
"Big nationwide ISPs are finding there is no way to protect themselves. They have to be moved up a version as soon as there is one. Often the software in their routers is not changed, not because they don't want to, but because there may be other bugs, which can cause customer impact.
"They can't just whack a new version in. They've got to go in and test it first," Hackett said.
Edwards gave an insight into the increased workload.
"Have you ever tried flooding a router with SNMP requests, particularly ones that make 'stuff happen' like a tftp [transferring files to and from network] upload? It tends to chew CPU a lot," Edwards said.
"If you try to make a router tftp a file to/from a server that won't work, it can use up resources that should otherwise be used to move packets."
So far there have been no reported exploits of these vulnerabilities, according to AusCert.
"If vulnerable networks are attacked, it has the potential to stop traffic both within the network and to and from the Internet," Graham Ingram, general manager of AusCert, said.
Ingram said it is vital that networks do what they can now to secure their systems.
Information about protection strategies can be found on AusCert's Web site (www.auscert.org.au)