RE: NMRC Advisory - KeyManager Issue in ISS RealSecure on Nokia A ppliances

["Rouland, Chris (ISSAtlanta)" <CRouland () iss net>]

This is a known flaw in RealSecure Network Sensor 6.0 build 6.0.2001.141 for
Nokia IPSO.  It was corrected early this year in build 6.0.2001.141d for
IPSO.  This flaw is not remotely exploitable.  Root privileges are required
to obtain public keys from the sensor to allow an initial console
connection.  NMRC has not been able to confirm that they are able to exploit
this flaw.

ISS notified users of the 6.0 IPSO sensor in February, and this issue has
been documented in our public knowledgebase since February 6, 2002. 

---
Knowledgebase Article 
  February 6, 2002

Improper Default Entry in iss.access file for RealSecure for Nokia 6.0

HOW BIG IS THE RISK?

An administrator could grant escalated privileges to a console, allowing key
administrator rights without specifically granting that right 
An attacker would need root access to the appliance, or would need
assistance from an established key administrator to exploit this
vulnerability 
This only affects RealSecure for Nokia 
This is a low risk vulnerability 

WHAT IS THE VULNERABILITY?

There is a pre-defined Key Administrator included in the iss.access file,
starscream_skank, installed by default in RealSecure for Nokia 6.0. An
attacker would need a RealSecure 6.0 Console, setup using the machine name
of starscream and the user name of skank, to generate the correct public
encryption keys. The attacker would then need root access to the Nokia
Sensor, in order to transfer the public keys from the Console to the
Sensor's /Keys directory, to allow the initial Console connection. The
attacker could then copy files to the Sensor's /Keys directory, using the
RealSecure Console. Since this vulnerability can only be used in conjunction
with root access to the Sensor, it's threat level is assessed by Internet
Security Systems as very low. 
WHAT SYSTEMS ARE AT RISK?

Only Nokia IPSO systems, running RealSecure for Nokia 6.0, build
6.0.2001.141 
No other RealSecure Sensors are affected 

RECOMMENDATIONS

The work-around is to remove the Key Administrator designation,
starscream_skank, from the list of Key Administrators for RealSecure for
Nokia 6.0 Sensors which were installed using build 6.0.2001.141 
This build has been replaced with build 6.0.2001.141d, available for
download here:
https://www.iss.net/cgi-bin/download/customer/customer-select.cgi 
ADDITIONAL INFORMATION

For additional information concerning this vulnerability, contact ISS
Technical Support at, support () iss net or 888-447-4861 
  
COMMENTS:

ISS received no notice of a security advisory from NMRC.  In responsible
vulnerability disclosure, the vendor works with the researcher to confirm
fix availability (since Feb 02 in this case), edit the advisory for
technical content and typographic errors, and to confirm exploitation of the
flaw (unconfirmed).  The only correspondence from NMRC follows (thread is,
NMRC is looking for keys to 2 very old versions of RealSecure to find holes
in it, and we are attempting to assist).  Our current shipping version of
RealSecure is 6.5, so the legitimate value of researching RealSecure 3.0 and
5.0 for flaws is questionable as well.

-----Original Message-----
From: Ring Zero [mailto:ringzero () www nmrc org]
Sent: Wednesday, March 20, 2002 12:18 PM
To: Lamb, Kris (ISS Atlanta)
Cc: 'Phuzzy L0gik'; 'Simple Nomad'
Subject: RE: Anomaly in RealSecure


Hello Kris,

Sorry it's been so long.  I found some free time to resume testing on your
Real Secure product.  I ran some tests on version 6 but with no luck.

We need version 5.0.  We found a copy of version 3.0, could you send me a
key?  Or perhaps somehow give me a copy of version 5.0? I've been looking
for weeks now and I can't find it anywhere!

One other thing, why is [KeyManager\starscream_skank\;] installed by default
on the NIDS installation for Nokia?

Thanks

RZ
-------------------------------------------------------------


--------------------------------------------------------------
Chris Rouland
Director / X-Force
Internet Security Systems, Inc.
http://xforce.iss.net
crouland () iss net