Posts

Yet another critical vulnerability found for Cisco devices

Foreword:


On the 29th of March a company that deals with security in embedded devices, called Embedi published their discovery about a critical vulnerability in most Cisco Switch devices (both running IOS and XE).

The vulnerability (CVE-2018-0171) is based on stack buffer overflow and is possible due to improper validation of packet data in Smart Install Client, a plug-and-play configuration and image-management feature that helps administrators to deploy (client) network switches easily. The service is running on TCP 4786, opened by default and listening when service is enabled (which is by default).

Yet again a new functionality that is meant for easier deployment and potential less operational costs during deployment poses a serious security risk. The vulnerability is deemed as critical because it gives complete access to the device or be used to do a DoS on the device, meaning it can crash the device. What makes the case even worse is that the Smart Install Client functionality is enabled by default.

Initially researchers believed that the vulnerability could only be used for attacks inside an enterprise network due to the communication ports usually not exposed to the Internet or to the fact that many of switch or other devices are only internal, because in a securely configured networks because the recommendation is that Smart Install technology participants should not be accessible through the Internet.

However during a short scan of the Internet, researchers detected over 250,000 vulnerable devices and 8,5 million devices that have a vulnerable port open.

Which Cisco devices are affected:


The vulnerability was proven to work on the following devices: Catalyst 4500 Supervisor Engines, Cisco Catalyst 3850 Series Switches, and Cisco Catalyst 2960 Series Switches.

  • Cisco Catalyst 4500 Supervisor Engine 6L-E
    • Cisco IOS 15.2.2E6 (Latest, Suggested)
      • cat4500e-entservicesk9-mz.152-2.E6.bin (23-DEC-2016)
  • Cisco Catalyst 2960-48TT-L Switch
    • Cisco IOS 12.2(55)SE11 (Suggested)
      • c2960-lanbasek9-mz.122-55.SE11.bin (18-AUG-2016)
    • Cisco IOS 15.0.2-SE10a (Latest)
      • c2960-lanbasek9-mz.150-2.SE10a.bin (10-NOV-2016)
  • Cisco Catalyst 3850-24P-E Switch
    • Cisco IOS-XE 03.03.05.SE
      • cat3k_caa-universalk9.SPA.03.03.05.SE.150-1.EZ5.bin (03-NOV-2014)

And here are all devices that may fall into the Smart Install Client type and can be considered potentially vulnerable:

  • Catalyst 4500 Supervisor Engines
  • Catalyst 3850 Series
  • Catalyst 3750 Series
  • Catalyst 3650 Series
  • Catalyst 3560 Series
  • Catalyst 2960 Series
  • Catalyst 2975 Series
  • IE 2000
  • IE 3000
  • IE 3010
  • IE 4000
  • IE 4010
  • IE 5000
  • SM-ES2 SKUs
  • SM-ES3 SKUs
  • NME-16ES-1G-P
  • SM-X-ES3 SKUs

Cisco’s reaction:


The original researchers reached Cisco with their finding before going public with it and the vendor had enough time to patch their software. Official releases after March have been patches against the vulnerability and available for download.

How does the attack work?


The attackers send a large number of very small requests from a high-bandwidth pipe behind ISP(s), that allow ip spoofing, destined at a large list of publicly accessible application servers. The attacker is spoofing the source IP on all these requests to the target public IP address. All servers are made to respond with much larger packets to the requests, wrongfully directing all that traffic towards the unsuspecting target. The idea is to cripple either the target server/device or to congest its internet pipe, both causing Denial of Service.

How to determine if your device is affected:


Issue the following command:

show vstack config

If the output shows that SmartInstall is enabled then proceed with the checks

Check your current running software versions

show version

Use a Cisco official tool to check the vulnerabilities on your Cisco IOS/XE via the following link:

https://tools.cisco.com/security/center/softwarechecker.x

General recommendations:


  • Do not expose unnecessary any communication channels (services/ports) to unsecure networks such as the internet. Keep your devices behind firewalls in order to reduce the potential attack service.
  • Remember to patch your systems regularly

Data Centre for Cisco Network Security

Memcached – Newest amplification attack out there

Data Centre for Cisco Network Security

History:

In the last months and years we have seen multiple DDoS attacks based on amplification techniques (DNS, NTP, Chargen, SSDP)

A new amplification attack was spotted in the last week of February (25th – 27th of February).

It is, by far, the strongest amplification attack we had and it is based on the Memcached protocol running on UDP port 11211.

Sources at CloudFlare state the attack reached 257Gbps.

Why the Memcached Protocol?

The answer is simple, it supports UDP which is stateless (which is necessary for amplification attacks), it lacks any form of authentication, and when it turns out it provides excellent ratio in amplification (the difference between the size of the trigger packet and the response).

Amplification ratio in the attack was around x10000 times but the protocol itself is capable of x51200.

The attack stats detected on CloudFlare show UDP datagrams with 1400B size. The number of packets peaked to 23Mpps which measures to the reported total 257Gbps of bandwidth. And that is a lot, it can cause very serious outages.

How does an amplification attack work and how it can be prevented?

To successfully lunch an amplification attack you need 3 components:

  1. Capability to spoof IP packets, meaning access to a high-bandwidth pipe on ISP that does not do a solid job in securing anti-spoofing
  2. Application/Protocol that is amplification friendly – UDP based, no authentication, protocol allowing large responses to be created based on small requests
  3. Reflector servers running a suitable protocol – These are servers that are reachable from Internet and that are going to respond to requests

How does the attack work?

The attackers send a large number of very small requests from a high-bandwidth pipe behind ISP(s), that allow ip spoofing, destined at a large list of publicly accessible application servers. The attacker is spoofing the source IP on all these requests to the target public IP address. All servers are made to respond with much larger packets to the requests, wrongfully directing all that traffic towards the unsuspecting target. The idea is to cripple either the target server/device or to congest its internet pipe, both causing Denial of Service.

How can Amp Attacks be prevented?

If any of the three components outlined above is not available, then there is no way to perform a successful Amplification attack.

Simple steps can make a bit difference.

  1. ISP should always adhere to the strict anti-spoofing rules and allow outbound traffic only from sources belonging to their IP ranges.
  2. Developers should think about security when creating new applications and protocols. UDP should be avoided unless low-latency is needed, and if UDP is used, the protocol should have some form of authentication and should never allow a reply to a request ratio bigger than 1. Meaning all replies should be smaller or equal to the request that generate them.
  3. Administrators should correctly “firewall” their servers and allow access to the services to whomever needs them; and not the whole Internet. Certain types of responses might be blocked from within the application or at Firewall level.

Related articles:

https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/

Modern security landscape, trends in malware and counteracting security controls

Malware is evolving constantly. The threat landscape is so dynamic that yesterday’s news is not news today. The malware business is a full-blown industry that can easily size up with the IT security industry.

Recent major security breaches:

NiceHash, the largest Bitcoin mining marketplace, has been hacked, which resulted in the theft of more than 4,700 Bitcoins worth over $57 million (at the time of breach) – more than 70 million now. The breach is reported to have happened via vulnerability on their website.

Teamviewer vulnerability – critical vulnerability discovered in the software that could allow users sharing a desktop session to gain complete control of the other’s PC without permission.

By using naked inline hooking and direct memory modification, in addition, the PoC allows users to harness control of the mouse without altering settings and permissions.

Uber – Uber’s October 2016 data breach affected some 2.7 million UK users, it has now been revealed. Uber did not disclose until now and paid a ransom (100k USD). Lawsuits to follow. Information held by a third-party cloud service provider used by Uber was accessed by the two hackers.

PayPal subsidiary breach – ID Theft for 1.6 Million Customers. PayPal Holdings Inc. said that a review of its recently acquired company TIO Networks showed evidence of unauthorized access to the company’s network, including some confidential parts where the personal information of TIO’s customers were stored.

Numerous unidentified security vulnerabilities were found in the platform (bugs that lead to security related vulnerabilities). Evidence of a breach discovered. Forensics are under way.

Equifax – breach allowed 15.2 million UK records to be made public (and 145 Million US records). Bad guys used a known vulnerability in an internet accessible service for initial penetration.

Recent Apple Root vulnerability – Any Mac system running macOS High Sierra 10.13.1 or 10.13.2 beta was vulnerable. There was no real exploit, you just typed root for username and keep the password empty and keep pressing enter and after several tries you are logged in with root rights.  A logic error existed in the validation of credentials or simply a bug.

Malware

Making malware today has become more available. Malware development processes does not differentiate much from any software development, people use online available sources for much of the code, and will combine it together to their liking and purpose. A lot of the bad guys would also release the code for their creations which can later be changed and further modified (example Petya and NotPetya). Even code stolen from the government cyber agencies is now used in modern malware (example EternalBlue use in multiple malware as a way of effective horizontal spread – used in WannaCry).

Another typical trend in malware these days is to be modular. It will install and run multiple services on the infected host in specific order after the initial infection.

1st stage – there is always the initial infection – usual methods here are unpatched vulnerability of a running service or in the cases of more advanced malware – the use of Zero-Day vulnerability. Example here is the EternalBlue exploit of the SMBv1 service. Usually the delivery of the exploit is via Internet on accessible services or once inside the organization, horizontally meaning within the internal networks of the organization. That stage ends with having temporary access to the system and dropping off the malware in questions

2nd stage – privilege escalation – will try to gather credentials from the infected device in different ways – cracking the specific files on the system that holds the accounts, trying to locate account information on the local drives, or even brute-forcing credentials. These credentials will be leveraged for either privilege escalation on that machine or access to other similar machines on the network and infecting them.

3rd stage – installing a backdoor. Making sure the access is permanent

4th stage – doing the job. Downloading all necessary pieces of malware to finish the job.  If that is a crypto virus it will download the tools to encrypt the sensitive files, also change desktop or even download application to show the user the ransom note, a tool to clean keys and traces of the encryption etc.

5th stage – spread, can be done again by using vulnerable services within the organization or by leveraging any credentials that are discovered in the privilege escalating process and using legit sys admin management channels such as WMI and PSExec. Sometimes the spread can be done before or simultaneously with the 4th stage as not to warn the organization of its presence before it managed to infect multiple systems.

Types of malware:

It is very hard to categorize malware these days. Most traditional classification such as: virus, worm, trojan, backdoor does not really cut it anymore as most modern malware shares the features of all of them (again example WannaCry, it is a virus, it is a worm as it spreads itself and it is a backdoor as it does install a hidden unauthorized way into the compromised system, and on top of that does encryption).

Ransomware – attacks aimed at making money by forcing victims to pay for accessing again their personal files

DDoS attacks – attacks aimed at crippling or disabling services at the victim

Attacks aimed at stealing sensitive information – attacks aimed at spying on users and gathering sensitive data – credentials, S/N, banking details, impersonating info (DOB etc.), private communications etc

Zombie/Botnet – attacks that rely on the collective resources of multiple compromised hosts that are managed by a central C&C (command and control). Can be used for multiple things, DDoS, span relay, stealing sensitive information from users

APT attacks – Advanced Persistent Attacks. Specially crafted attacks, usually used in nation-state cyber activities. Example could be the attack versus Iranian Nuclear Program

IoT related attacks – again these blur with other, as normally the compromised IoT devices are used for other kind of attacks (DDoS). This kind of IoT are very typical these days, the IoT devices are cheap network connected devices that were not designed with security in mind. The Mirai attack was a shining example on how powerful attacks can be executed using a Botnet of compromised IoT devices (DYN case). Furthermore, the number of IoT will continue to grow.

Mobile devices – attacks that are specific for mobile devices, most dangerous ones are compromised apps that go under the radar and give away sensitive information from the smart phone (ID theft, or sell personal info to ad companies, or steal financial data (credit card info etc.)). There are no such thing as free apps, they steal data from you and use it in illegal way to monetize it and make profit.

Phishing / Spear-Headed Phishing – Becoming more and more popular, bad actors will put in the effort now to get to know the victim so they can deliver the malware content in a shape and form that is interesting to the target

Some top Cyber Security Trends:

  1. Less number of security breaches (due to more investments in in IT Security) reported globally but more impact upon breach.
  2. More time is needed for the detection of breached (average time in 2016 was 80.6 days, in 2017 it is 92.2 days)
  3. Predictions of crime damage costs to sky rocket in the next 3 years (by 2021) to 6 Trillion USD
  4. Successful phishing and ransomware attacks are climbing
  5. Global ransomware damage cost estimated to exceed 5 Billion USD by the end of 2017

Data was gathered by CSO 2017 Cyber Security report (csoonline.com)

Summary of the evolution of Security Controls

  • Intrusion Prevention (Advanced Network Threat Detection) becomes a must

Advanced IPS systems have replaced the traditional status firewalls. They incorporate multiple security technologies (signatures, behavior analytics, heuristics, sandboxing, central intelligence feeds etc.), to be able to successfully detect intrusion events and malware.

  • Logging and Alerting platforms more important than ever

Logging and alerting are hugely important for each organization to be able to both proactively secure your network but in case of a breach to re-actively do forensics

  • Data Loss Prevention is gaining momentum

DLP is becoming more popular as numerous breaches that year were connected to leaked sensitive information (ID theft in the Equifax and Uber)

  • Endpoint security/malware is again in the front lines of combating malware

The focus of the security has shifted in the recent years from the network to the endpoint. Network and endpoint security controls should collaborate to create a strong security posture for your organization

  • Systemwide threat defense is becoming necessary to adequately protect your organization

Security has become closely connected to intelligence. All major security vendors syphon off as much data from the internet as they can just, so they can filter through it in a strive to find first the zero-day exploits and provide first adequate protection for their customers. All parts of the network infrastructure can be used as sensors and deliver intelligence data to a centralized place that provides the analysis (big data).

KRACKATTACK – the kraken of the Wi-Fi WPA2

Wi-Fi is everywhere, everything is on Wi-Fi now, phones, tablets, laptops, even home PCs, game consoles, smart devices (IoT), sensors etc. The security of WiFI is imperative, and has been entrusted to the WPA2 protocol. For that protocol, thus far all exploits have been connected to guessing the security key (hence reliant on customers having a weak key) or surrounding technologies (WPS for example) or older implementation such as the TKIP.

None of them were successful against a strong security-minded implementation.

Until today.

The attack – high-level breakdown of how the attack works and which devices are affected

An extremely interesting paper was released (16th October 2017) by its author, Mathy Vanhoef, this paper would rock the world of Wi-Fi as shines light on how to exploit the WPA2 protocol in such a way as to be able to decrypt the user data.

How does the attack work?

The attack does not allow the attacker to join the protected WiFi, nor does it break the encryption key. The attack is focused on the management plane in the WPA2, more precisely on 4-way handshake exchange during the client join.  It is achieved by manipulating and replaying handshake messages. By replaying message 3 of the handshake the attacker has the ability reinstall an already used nonce instead of a fresh key (a replay is allowed by the protocol because messages can be lost due to low signal etc). To guarantee security, an encryption key combination (key+nonce) should be used only once, then different versions of it (different nonce) should be used. Reusing the same key and nonce allows the attacker to derive the keystream, which combined with knowing a portion of the data that is encrypted and the already encrypted data, is enough to decrypt the rest of the data.

The attacker is positioning himself/herself in the middle of the handshake between the AP and the client by using a spoofed WiFI SSID with same name and making the client join his SSID by advising him to switch channels (hence the attack works best if the client has stronger signal to the attacker than to the legit AP). Only when this man-in-the-middle is completed can the attacker manipulate this handshake (as described above) and starting decrypting what the user sends.

Who is affected? – Practically every Wi-Fi enabled client, as again this is an attack towards the WPA2 protocol itself which all vendors needed to follow in their implementations, so this is not a scenario when the exploit is possible due to bugs in the code.

Android and Linux are the ones that are easier to compromise to the fact they mostly (41% of the devices out there) use wpa supplicant version 2.4. With them the code developers have followed a WPA2 standard advice to delete the nonce after its use so when the replay of message 3 happens the nonce that is used is comprised only from zeros making it trivial to decrypt. Further finding from the same author describe the possibility for that attack to work (with few changes) also towards wpa_supplicant 2.6 and iOS and freeBSD clients. This latest update brings the percentage of vulnerable supplicant to a very high number (as the author states, if you have a phone it is most likely vulnerable).

Impact:

We are sending out massive amount of sensitive data using Wi-Fi these days. Username and passwords are just the start, but credit card information, personal IDs, emails, private pictures etc. I guess nobody wants that data to be shared and read by others. Furthermore, the top choice device for many of these, is your smart phone, which in fact is the most vulnerable type of client device (see Conclusions chapter below).

So, what is next?

Do we go back to WPA or WEP or wait for WPA3?

Answer is no, WPA is also vulnerable and WEP is even less secure, WPA2 can be amended (both as a protocol and as implementation in software) and will continue to be used. It is recommended that WPA2 with CCMP is used, as TKIP and GCMP are even easier to break and attackers can not only listen to data but also manipulate data so malware can be injected into the traffic.

How to protect ourselves

Only the software update can mitigate this attack. Keep a close eye to the vendor announcement and patch as soon as they release the security patch for this exploit. Some of the patches may be silently releases and installed on your devices but please make sure you have them.

Actions like changing your PSK password and such do not make any difference (remember, the attack does not reveal this password nor lets the attacker join your network).

Deploy additional levels of encryption that is independent of the WPA2, such as SSL/TLS or IPSec. In the example on the krackattack page, they were only able to read the data from the web site after striping the SSL from it which in fact is a misconfiguration on the website itself.

Conclusion

The current threat is obviously for the end devices, not the infrastructure devices (APs etc). I expect that Microsoft, Apple and other commercial major OS vendors will react very fast and will silently patch (if they have not done so already). That would be sufficient for laptops and PCs with enabled Wi-Fi. A bigger problem will be for smart phone users, every Android vendor (Samsung, HTC etc) dictates its patching schedules, so I am not expecting a fast reaction from them. Apple runs its own devices so I expect faster reaction.

Having put the spotlight on client devices and not infrastructure, it is mandatory to mention that this new type of attack and the sure-to-come spin-offs from it will lead to new attacks towards infrastructure devices.

Cisco has numerous products that are found vulnerable and still investigating many more for that possibility.

Related materials:

https://www.krackattacks.com/

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171016-wpa

Cisco Network Engineers from CCNA-CCIE

You’re a Cisco Network Engineer – Now What?

10600420_681844995242408_6193330557795511190_n

Gaining a certification as a Cisco Network Engineer is only the beginning of your professional journey, next you need a job. There are literally thousands of Engineers passing CCNA, CCNP and CCIE exams around the world every single year. All those bits of paper look the same; they all tell prospective employers that you did indeed pass the written and trickier lab exams.

You might have a Cisco Certification, but so do thousands more – the question is “Why would an employer hire you rather than the thousands of other equally qualified individuals?” Gaining experience can only be gained by well, gaining experience – so what else can help you become a SUCCESSFUL Cisco Network Engineer?

Professionalism

Any prospective employer and end client will demand a high level of professionalism at all times so you need to consider perception – how does the client or employer perceive your levels of professionalism? Make sure you:

  • Ensure the project scope/SLA agreement is adhered to at all times
  • Have your Engineers tools/kit – Be Prepared!
  • Dress like the professional you are
  • You’re the Technical one, not everyone else so refrain from jargon & being overly-technical

Applying for a job as a Network Engineer is just like any other, you need to portray a good image and one of professionalism. I recently had an online conversation with a Cisco Engineer who appeared on our website with the words “Need Job Mate” – em not from me you won’t, especially as your level of professionalism is shocking!

Communication Skills

Regardless of where you’re from, learn to speak the local language – and well. As skilled as you may be with IT Networks and the technical aspect of being a Cisco Engineer, you need to be able to communicate with clients, employers & stakeholders. There needs to be a trail of the work you carry out from start to finish, make sure you:

  • If you’re running late, tell your boss as early as possible
  • Alert your employer/boss of the time you arrive/leave and report to your onsite contact
  • Take photos before and after your work has been completed
  • Double check your work against the project scope – always focus on Quality of Service

Often external forces like bad weather, heavy traffic or car trouble can’t be avoided, so just ensure that you communicate with your seniors making your movements easier to monitor & track.

More Tracks

Once you’ve passed 1 exam, don’t stop! The more Cisco tracks you have, the better chance you stand of being employed. Technology, business and Cisco qualifications are all evolving – CCNA/CCIE Voice, Storage Networking and Service Provider Operations are now all obsolete – so keep training otherwise your skills will also become superseded. Gaining a certification in R&S is only the start; think about gaining certifications in Security, Unified Communications and Wireless – none of these tracks are likely to be retired anytime soon. With the birth of IoT, BYOD, Big Data and Cloud computing then skills for Unified Communications, Cybersecurity and Wireless will all be in high demand.

cisco-nerd

Responsiveness

To become an in-demand Cisco Engineer – be responsive! If your employer calls you and asks “can you be in London/Paris in an hour?” put down your knife and fork, grab your kit and get moving. Respond to trends in the marketplace, less focus on Voice, more focus on Unified Communications. Less focus on Storage Networking and more on Data Storage and Cloud computing. Recently there have been some high profile security breaches with Sony, JP Morgan Chase and AOL and in 2015 75% of CIO’s intend to increase their IT Security expenditure, therefore be poised to respond to the trends happening in the world of IT Networking.

Housekeeping

Leave the site exactly as you found it. Ensure the communications cabinet is securely closed follow all in-house security protocols and don’t leave a mess. You’d be surprised as to the big impression you can make with small gestures of housekeeping.

Being a Cisco Network Engineer requires greater skills than the ability to rack, mount and stack a server or two. There’s an estimated 600,000 Cisco Certified Engineers worldwide, so if your professionalism, communication and housekeeping skills are lacking – then you won’t be stacking and racking. Since gaining your Cisco Certifications what problems have you encountered when looking for a job? As a client, what skills do you think Engineers lack/excel at? All comments are welcome 🙂