![[LWN Logo]](/images/lcorner.png) |
|
![[Timeline]](/images/Included.png) |
Date: Mon, 4 Dec 2000 16:12:31 -0800
From: Ed Ingber <ingber@IPRG.NOKIA.COM>
Subject: Nokia firewalls - Response from Nokia
To: BUGTRAQ@SECURITYFOCUS.COM
This posting is Nokia's response to the issue raised by author "K2" posted
on BugTraq on November 27, 2000 under the subject "Nokia firewalls". We
thank "K2" for bringing this issue to the attention of BugTraq, although
Nokia was not notified directly by "K2" prior to his posting.
"K2" classified this vulnerability as "low priority", and we agree with his
statement based on the nature of the vulnerability and the potential
exploits that might arise from it.
The Vulnerability: Sending a malformed URL consisting of a very large
number of characters ("K2" used 6000+ characters) to the Voyager web-based
management interface of a Nokia platform may interrupt certain
Voyager-related processes affecting access to Voyager. Operation of the
firewall forwarding and filtering functions is not affected, nor is command
line access.
Potential Exploits: No ability to plant malicious code or execute arbitrary
commands has been demonstrated, although this is always a risk in any
buffer overflow-like vulnerability. The exploit has been demonstrated to be
a denial of service affecting the web-based Voyager management interface -
command line management and firewall operation are not affected. To exploit
this vulnerability, the attacker would need access to Voyager and need to
be authenticated as an administrator or monitor (read-only administrator)
with user name and password. Good practice dictates disabling Voyager
access from the untrusted network (e.g. the Internet) if possible. An
inside administrator attacker then having user name and password access to
the management interface would be in a position to do far more harm than
simply disable the web-based Voyager management interface. Voyager could be
vulnerable to an authenticated inside monitor (read-only) administrator
who, worst case, might be able to execute arbitrary code and gain root and
therefore read/write access. You might consider disabling monitor access,
or providing it only to administrators that you trust.
Recommendations:
1. Do not allow Voyager access from untrusted networks (e.g. the Internet).
2. Use good generally accepted practice regarding password selection and
confidentiality (as always).
3. Consider disabling monitor (read-only administrator) access.
4. Use the provided SSH with port redirection (IPSO 3.2.1 and earlier) or
embedded SSL (IPSO 3.3 and later) to encrypt http traffic to Voyager to
prevent an attacker from eavesdropping to hear the password.
A good FireWall-1 rule set to implement recommendations 1-4 might look
something like:
Source / Dest / Service / Action
--------------------------------------------------------------
admin-group / firewalls / [http,] ssh / Accept
management-console / firewalls / fw1-group / Accept
Any / firewalls / Any / Drop
The first rule permits administrative access. The second provides
FireWall-1 management access for the machine acting as the management
console (and is only referenced if Properties have been modified to no
longer accept FireWall-1 Control Connections). The third excludes all other
traffic directly to the firewalls, and is referred to by Check Point as the
"stealth rule".
With these appropriate rules, an attacker must meet the criteria
established in your FireWall-1 security policy and then also be
authenticated as an administrator before he can attempt to attack the
Voyager-related processes.
This low priority vulnerability will be fixed in the next scheduled release
of IPSO (Nokia's OS). For further assistance, customers may contact the
Nokia Technical Assistance Center referenced in your product documentation.
When contacting TAC, reference Resolution 4097.
Ed Ingber, Product Manager
Nokia Internet Communications
650-625-2345