Vulnwatch mailing list archives

Previous By Date Next
Previous By Thread Next

Nokia GGSN (IP650 Based) DoS

From: "@stake Advisories" <advisories () atstake com>
Date: Mon, 09 Jun 2003 11:21:54 -0700
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


                             @stake Inc.
                           www.atstake.com

                          Security Advisory

Advisory Name: Nokia GGSN (IP650 Based) DoS
Release Date: 06/09/2003
 Application: Nokia GGSN (IP650 Based)
    Platform: Nokia GGSN (IP650 Based)
    Severity: An attacker is able to cause GGSN to kernel panic
     Authors: Ollie Whitehouse [ollie () atstake com]
Joe Grand Brian Hassick Vendor Status: Informed/Fixed 
CVE Candidate: CAN-2003-0368 Nokia GGSN Kernel Panic
   Reference: www.atstake.com/research/advisories/2003/a060903-1.txt


Overview:

      Nokia's (http://www.nokia.com) GGSN (Gateway GPRS support
node)
is the platform that exists between Gn and Gi networks within a GPRS
network.

There exists a vulnerability in the TCP stack that allows an
attacker to cause the GGSN to kernel panic and shutdown. This
potentially allows an attacker to crash all data connectivity within
a GPRS based network.

This is a good example of why network elements which introduce IP
functionality to legacy networks should have their functionality
verified in terms of impact on security before deployment in a
production environment.

Technical Overview:

       This vulnerability is exploited by sending a malformed
IP packet with a TCP option of 0xFF over a cellphone to the affected
network.

Vendor Response:

       (see recommendation).


Recommendation:

       @stake worked with Nokia to ensure that all affected
operators
were informed and upgraded and only after this time did @stake agree
to release this information to the public. There should be no action
on the part of the operator required.

Below is the notice that was sent out by Nokia to their clients:

       ---[Nokia Notice]---
       NOKIA CUSTOMER CONFIDENTIAL, GGSN RELEASE 1 VULNERABILITY

       Under exceptional circumstances Nokia GGSN release 1 is
       potentially vulnerable to a "Denial Of Service" style of
       attack from a malicious user equipped with a computer and a
       mobile phone. When the vulnerability is exploited the GGSN
       restarts. There is no damage to the configuration, but some
       charging data may be lost.  Changing a normal Access Point to
       tunneled (GRE or IP in IP) prevents the attacks from mobile
       user side.

       The same applies for the Gi interface though routers and
       firewalls would normally drop this kind of packets. The
       problem has been detected and reported by @stake and has been
       reproduced by Nokia in collaboration with @stake. Nokia and
       @stake are jointly working to eliminate the problem.

       This vulnerability is corrected in IPSO version 3.4 and all
       subsequent versions. Thus, GGSN release 2 is not vulnerable,
       GGSN release 1 is. Nokia advices all the customers still
       running GGSN release level 1 to upgrade on GGSN release level
2. 

       As an interim measure operators can perform the following
       preventative configuration changes to their networks. Ensure
       that all IP packets  with non standard IP options are dropped
       by boarder firewalls on the  Gi interface. Within the Gn
       network ensure that the GTP aware firewall (if present) also
       drops all encapsulated IP packets with non standard  IP
       options. This may introduce latency however it will mitigate
       against the attack until the patch has been fully deployed
       and tested.

       Due to the severity of this vulnerability @stake has
       confirmed that they will not be releasing this information
       publicly on their research page
       (http://www.atstake.com/research/)
       until Nokia has confirmed that all affected operators have
       fully patched and tested all affected elements. However
       @stake would ideally like to  release this information no
       later than 1st June 2003.

       Neither @stake nor Nokia are aware of this attack being used
       in the wild as it was discovered by @stake within a lab
       environment and subsequently tested on a number of operators
       for whom they have worked for.
       ---[End Nokia Notice]---


Common Vulnerabilities and Exposures (CVE) Information:

The Common Vulnerabilities and Exposures (CVE) project has assigned
the following names to these issues.  These are candidates for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.

 CAN-2003-0368 Nokia GGSN Kernel Panic


@stake Vulnerability Reporting Policy:
http://www.atstake.com/research/policy/

@stake Advisory Archive:
http://www.atstake.com/research/advisories/

PGP Key:
http://www.atstake.com/research/pgp_key.asc

@stake is currently seeking application security experts to fill
several consulting positions.  Applicants should have strong
application development skills and be able to perform application
security design reviews, code reviews, and application penetration
testing.  Please send resumes to jobs () atstake com.

Copyright 2003 @stake, Inc. All rights reserved.


-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBPuTLoUe9kNIfAm4yEQKzJgCffce0bh7/mkfMIHqSe2HIxMVXmLsAoI4Z
+wZ5zdDH/YMMhvhzV5GDR1te
=4zGB
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: