Breaking

Autonomic Network Part 3: Vulnerabilities

This is the 3rd post in the series of Autonomic Network (AN), it will dedicated for discussing the vulnerabilities. I recommend reading the first 2 parts (part one, part two) to be familiar with the technology and how the proprietary protocol is constructed.

Initially we will discuss 2 of the reported CVEs, but later there is more CVEs to come 😉

Here is a quick overview on how our network looks like for 2 CVEs

Registrar ————— Enrollee

The network consists of a registrar which handles enrollment requests and a new node which tries enroll into the network. In order to join the network, the enrollee sends a request to the registrar with its UDI (which is a combination of the model and serial number of the device). The registrar checks its whitelist (a list saved on the registrar of the allowed devices) and responds back to the enrollee with either acceptance or rejection. After that, certificates are generated and the secure channel is built.

The two reported CVEs will concentrate on the exploiting this part of the communication between the registrar and the enrollee.

First we will start with:

CVE-2017-3849, it is a vulnerability of high impact. It can the cause the registrar to crash down and take it out of the network. It has no workaround and there is no way it can be avoided, so please either upgrade your system image or make sure that the network is totally secured. The attacker can send an enrollment request to the registrar, however instead of providing a valid UDI, the attacker provides either space or null byte as its UDI. The registrar will not be able to process such a request and as a result crashes down. The attacker can keep sending this request every time a registrar is detected within the network to crash it down. The attack is of high significance due to its ability to take down the registrar which is responsible for nodes enrollment and all NOC communication with the AN.

Second vulnerability that will be discussed today is:

CVE-2017-3850, this is a vulnerability of very high impact, which is close in its score to critical ones. The attacker can take down systems that support AN regardless it is enabled on the system or not. Taking into consideration that AN is supported on almost all the new releases. All what is needed by the attacker is a reachable IPv6 address to crash down the device. The attacker can send one of the bootstrap phases packets with some of the unexpected types (for the list of the allowed types within each packet, please check part two). Regardless the device is a registrar or enrollee or even does not have AN enabled, the device will crash down once it receives this single packet. I like to call the Death kiss. The attack can be stopped by users not running AN by introducing an access list over all their interfaces to drop packets coming on ports 4936 and 8888. If you are using AN then there is no way to survive this attack except to upgrade your system software.

Stay tunned, there is more CVEs on the way and soon they will be published.

The slides for the presentation where I explained AN with its 3 parts is here and the video of the presentation can be found here.

Hope you enjoyed the post and stay tunned for more,

Omar.

Leave a Reply

Your email address will not be published. Required fields are marked *