RE: [VulnWatch] NMRC Advisory - KeyManager Issue in ISS RealSecur e on Nokia Appliances

["Rouland, Chris (ISSAtlanta)" <CRouland () iss net>]

NOTE TO MODERATORS:  If you choose to post a technical debate including Mr.
hellNbak's reply, please include my follow-up post.  I question whether or a
not a documented flaw is worthy of post-alert debate, when this should have
been resolved by the research organization and ISS prior to publication.  It
is questionable across all charters of the lists here. 

Since NMRC is essentially republishing an ISS document in this 'advisory',
this is typically referred to as a security Alert, not an Advisory, since it
is not original security content.

----

Mr. hellNbak,

I have made two inquiries to you via email about reproducing this problem,
with no response.  What you are referring to is an escalation of privilege,
from a console that already has been configured and keyed by the sensor
administrator.  We confirm this in our security bulletin in the ISS KB.  For
a remote attacker to obtain the keys to establish a session, the /Keys
directory on the IPSO box would have to be compromised, requiring root
privs.  

It is difficult to 'talk' to someone who describes themselves as "Not too
many people know who I am or my true identity and I like to keep it that
way.  This is not because I have something to hide, or because am trying to
hide behind a handle but because in order to keep my work life and personal
hacking life separate I must use a handle."  I had no way to get in touch
with you, besides email.  I suggest that NMRC uses more standard procedures
in issuing security advisories if you care for them to be precise in the
future.  We should have been having this conversation before you posted your
'advisory' which was a documented issue since Feb 6, 2002.

-Chris

PS: I have no further comments regarding this issue.  For technically
accurate information regarding the flaw, please reference ISS KB
#020206-000005.

-----Original Message-----
From: hellNbak [mailto:hellnbak () nmrc org] 
Sent: Thursday, March 21, 2002 1:00 PM
To: Rouland, Chris (ISSAtlanta)
Cc: nmrcfolk () nmrc org; bugtraq () securityfocus com; vulnwatch () vulnwatch org;
focus-ids () securityfocus com
Subject: RE: [VulnWatch] NMRC Advisory - KeyManager Issue in ISS RealSecur e
on Nokia Appliances


On Thu, 21 Mar 2002, Rouland, Chris (ISSAtlanta) wrote:
> Please confirm that you are able to exploit this, without root accesss 
> to the IPSO box.


Chris, if I set up my own console, why would I need root access to the IPSO
box?  If I simply set my machine name to starscream and my user to skank I
am able to connect and push new keys generated by my console.

I am unsure why you would post that "NMRC is unable to confirm that this can
be exploited" without actually talking to me first.  I just tested it, a
second time, and yes, you can connect via the console and root access on the
Nokia box is not an issue.  The console connects to the control chanell and
allows me to push new keys down using the deployment wizard which then
allows me to set my new console as the "master controller" and gather
alerts, modify policied etc...