Posts Tagged ‘Vulnerability’

What lessons should we learn from the latest Cisco NAC Framework Vulnerabilities?

April 6, 2007

At the recent BlackHat Europe 2007 two researchers, Dror-John Roecher and Michael Thumann, presented on attacking Cisco NAC framework.

They discussed two main issues with the Cisco NAC framework.

The first relates to the fact that a NAC solution cannot trust the information coming back from an element. It is since this information is provided by the element, the same one the NAC solution does not trust in the first place.

This point is valid for all NAC solutions and was raised by me in my Bypassing NAC presentation at BlackHat 2006 in the summer (my recent version of the presentation can be downloaded from here).

The second issue is that for two variants of Cisco NAC framework (NAC-L3-IP, and NAC-L2-IP) there is no form of user authentication mechanism other then verifying the posture of the client machine (i.e. A/V, FW, patches, SP, etc.).

The German researchers managed to spoof the posture validation between a Cisco Trust Agent to the Cisco ACS (Access Control Server), and to gain access to the network even if the element is not compliant with the posture validation checks. Their attack would work when either using NAC-L3-IP and NAC-L2-IP. If NAC-L2-802.1x will be used, then user authentication will be mandatory (actually this is the response Cisco had issued to this manner).

The conclusion here is simple, posture validation cannot replace user authentication. It should be part of the overall NAC process, but only after the element and the user are authenticated.


RFID-based Passports – What a bad bad idea…

March 18, 2007

While attending EUSecWest I enjoyed a chat with Adam Laurie of the trifinite group. Adam demonstrated some techniques allowing him to clone the new UK biometric passports. The fun part of it was that Adam was given a brand new passport  (by a Daily Mail reporter) in its envelope, and he was able to pull the details of that passport without opening the envelope. If wanted, Adam could have also clone the passport.

So what does the RFID chip on the Passport contains?

“Encoded on the passport’s RFID chip are three important files. One contains an electronic copy of the printed information on the passport’s photo page; the second holds the electronic image of the holder’s photo. The third is a security device which checks that the previous two files are not accessed and altered.”

The key needed to access the RFID chip is a 24-digit code, which is printed at the bottom line of the passport’s Machine Readable Zone (MBZ).

When an immigration officer swipes the passport it reveals the MBZ code, allowing him to access the information stored on the RFID chip.

The problem is that the MBZ code can be easily determined (The MBZ contains information such as the passport holder’s birth date, passport expiration date, ID number, etc.). Since most of the parameters used for the MBZ are known, and that the RFID chip allows the enumeration of the chip without any defense mechanism (i.e after 3 non-successful read attempts…), brute forcing the key is possible.

I had taken a look at my passport. Although it is not an RFID-based passport I wanted to see how predictable the MBZ is. To say at least the MBZ is not a good idea to use.

The problems associated with this vulnerability include identity theft and other more scary issues.

More information can be found here (The Daily Mail), here (The Register) and here (The Register).

The Vulnerability Market Place

January 31, 2007

It sure was a matter of time until a major newspaper (Brad Stone for the New York Times) would pick up on the subject of trading vulnerabilities (article). Specifically selling vulnerabilities to companies, which provide some kind of a service around it.

On a recent blog post at Matasano (iDefense Underbids on Vista Vulnerabilities) I commented that: “No one guaranties the so-called 0-day is really is 0-day. The seller could have used it before, or sold it before, and still the knowledge of the existence of this vulnerability/exploit is not widely known”.

Theoretically speaking one can sell a vulnerability to multiple parties, and/or abuse it for other needs, without the buyer knowing that.

The market place for vulnerabilities does bring up interesting legal, and ethical questions regarding the actions of those companies who are buying these vulnerabilities and the source(s) they are buying these from.