I just had an interesting discussion with Jim Small (who gives the “IPv6 Attacks and Countermeasures” talk at the North American IPv6 Summit next week) about the feasibility of the “undetermined-transport” keyword in PACLs on Cisco 3560 switches (here running IOS 15.0(2)SE). Actually there’s some kind-of funny behavior as for it on that platform (and there’s even some Cisco documentation stating it’s not supported). Let’s have a look, and start with a quick refresher.
Rogue router advertisements pose a significant security and network stability risk in IPv6 networks. That’s why there’s a security feature implemented on certain switches which is called “RA Guard” (see also here). Unfortunately (at least Cisco’s current implementation of) RA Guard can easily be circumvented, e.g. by using the following command from the THC IPV6 attack toolkit:
The gritsforbreakfast blog post making the rounds on the Liberation Tech mailing list about security of Apple’s iMessaging service is gaining quite some attention. The post refers to a CNET article on how the iMessage service “stymied attempts by federal drug enforcement agents to eavesdrop” conversations due its end-to-end encryption and commends Apple for protecting the user’s privacy while pointing out that Gmail and Facebook Messaging don’t. However, I disagree on some points of the blog post and therefore want to discuss them here.
Last week Rapid7 posted an interesting analysis of the Amazon S3 storage system: Apparently roughly one out of six S3 buckets (a bucket is, simply said, a kind of folder) is accessible without any authentication mechanism. Accessing those files, the Rapid7 guys were able to download a wide range of data, also comprising confidential information such as source code or employee information, comparable to past research for other platforms (see also this presentation I gave on some of the biggest Cloud #Fails) Continue reading “Thoughts on Cloud Governance, Part 1”
As you may already be familiar with some of our previouswork which was mainly focused on isolation issues of hypervisors, we also want to present you an issue concerning availability in Cloud environments. This issue was already covered in some of our presentations, but will be explained in greater detail in this blog post. Continue reading “BPDU Guard: Bringing Down Infrastructures”
Recently we took a look on Ciscos XMPP client, called Cisco Jabber. The Client is used in combination with Ciscos Unified Communication Server (CUCM) and Ciscos Unified Presence Server (CUPS). Only the latter one is used for XMPP communication.
As a lot of people were asking for, here comes the code of your badge. All You need to customize your badge, is a micro controller programmer, like the Pickit (its around 30 to 40 euros) and the build environment, MPLAB which you can get for free. Then just download the code and implement your own super cool features. Let us know what you did, the best hacks will get into the TROOPERS hall of fame (-; Continue reading “TROOPERS13 – The Badge Code”
We had a great day today at the Troopers IPv6 Security Summit. Good conversations, quite some technical discussion and a prevailing overall will to improve actual IPv6 network security.
Here are the slides of Antonios Atlasis’ great talk on extension headers and these are some of his accompanying Python/Scapy scripts. My own presentation on high secure IPv6 networks can be found here. The slides of the real-world capabilities workshop will not be published yet as we first have to discuss some stuff with a vendor.
Looking forward to tomorrow, have a great evening everybody
Recently there has been quite some discussion about so-called neighbor cache exhaustion (“NCE”) attacks in the IPv6 world. This is Jeff Wheeler’s “classic paper” on the subject, my kind-of personal networking guru Ivan Pepelnjakblogged about it back some time, here‘s a related discussion on the IPv6 hackers mailing list and in March 2012 (only three months after the respective IETF draft’s version 0 was released) the RFC 6583 was published, covering various protection strategies.
In the run-up to this workshop I’ll give at the Troopers IPv6 Security Summit next week I decided to build a small lab to have a closer look at NCE, in order to be able to express reasonable statements during the workshop ;-).
This is the first part of a (presumably two part) series of blog posts presenting the lab results and potential mitigation approaches. In this first part I’ll mostly focus on the actual attacks & lab testing performed. I won’t explain the basic idea behind NCE, you might look at the above sources (in particular Jeff Wheeler’s presentation) to understand the way it is supposed to work and to cause harm.
Actually the lab setup was quite simple. The lab was composed of a layer 3 device (mainly a Cisco 1921 router running an IOS 15.1(4)M3 image, but this got temporarily replaced by others, see below) connecting two segments, a “good” one hosting two physical systems (e.g. to be considered members of a fictional DMZ) and a “bad” segment with an attacker system. Essentially the only requirement was that all connections (attacker’s system’s NIC to switch & switch to all router interfaces involved) were at Gbit speed to simulate an attacker coming in from a high speed Internet link. [yes, I’m well aware that a 1921 can’t really push traffic at Gbit speed ;-)]
Besides the necessary basic IPv6 addressing config, the router was mostly in default state, so no tweaking of any parameters had taken place.
Marc Heuse – who happens to give this workshop at the Troopers IPv6 Security Summit next week – just sent this email (subject: “Remote system freeze thanks to Kaspersky Internet Security 2013”) to the IPv6 hackers mailing list, describing how a system running a certain flavor of Kaspersky security products can be remotely frozen when receiving IPv6 packets with a specific combination of extension headers and fragmentation (which in turn can be easily generated by his IPv6 protocol attack suite).
This illustrates once more the huge security problems related to IPv6 extension headers and IPv6 fragmentation and in particular to the combination of those two. Antonios Atlasis will discuss those in detail at the event (see his announcements here and here). It would be really helpful if major security products had some simple global properties/command line parameters/checkboxes like “drop all fragmented IPv6 packets”, “drop all IPv6 packets with extension headers” (ok, maybe “drop all IPv6 with multiple extension headers”; besides HBH in MLD packets – which shouldn’t traverse L3 hops – we don’t see too much ext headers in production networks anyway, as of early 2013) or at least “drop all packets with a combination of fragmentation and ext headers other than the fragmentation header”. But this will probably need another some years to show up and unfortunately we’ll probably see such problems still for a very long time…
Again, you should see Antonios’ presentations on this stuff (I had the chance to look at them already, it’s great research with scary results). For those of you who can’t join us: they’ll be made available for download after the conference.
Looking forward to an active discussion of these topics at the IPv6 Sec Summit,
Yesterday I was giving two presentations about Cloud security at the BASTA! Spring 2013 Security Day. While my presentations covered Microsoft Azure security considerations (which also included a part of the Cloud security approach covered in our workshops; slides available here) and some major Cloud incidents (suitable to transport different messages about Cloud security in general ;); slides available here), I also saw Dominick’s very interesting presentation about security aspects and changes in Windows 8. Inspired by that, we hope to be able to publish another blogpost on those aspects with regard to enterprise environments soon — most likely we won’t find any time for it before TROOPERS 😉