Re: (ASCEND) [rootshell] Security Bulletin #16 (fwd)

[tqbf@secnet.com]

In enteract.private.lists.ascend-users, you wrote:
>can easily pick up your community names.  But at least by doing
>the above, they will also have to spoof your IP address in order to
>use the community names to do any damage.

There is a problem with this. Employing IP-address-based ACLs for SNMP
does make it harder to get SNMP values from a MIB, but it does not make it
any harder to set them. Setting an SNMP value simply involves sending a
single UDP SNMP "setRequest" packet. An attacker can trivially forge these
to appear to originate from any IP address. Because of this, an attacker
that knows your write community can still, even with ACLs enabled, TFTP
the configuration file.

You can take steps to make this work; employ inside/outside spoof
protection filters at the perimiter of your network, so arbitrary
attackers on the Internet can't spoof INTERNAL IP addresses. Make sure
dialup customers can't source packets from incorrect addresses, too.

-- 
-----------------------------------------------------------------------------
Thomas H. Ptacek			     		Secure Networks, Inc.
-----------------------------------------------------------------------------
http://www.enteract.com/~tqbf				"mmm... sacrilicious"
++ Ascend Users Mailing List ++
To unsubscribe:	send unsubscribe to ascend-users-request@bungi.com
To get FAQ'd:	<http://www.nealis.net/ascend/faq>

---

Follow-Ups:

• Re: (ASCEND) [rootshell] Security Bulletin #16 (fwd)
• From: Joe Pautler <pautler@grasshopper.cit.buffalo.edu>

References:

• Re: (ASCEND) [rootshell] Security Bulletin #16 (fwd)
• From: Joe Pautler <pautler@grasshopper.cit.buffalo.edu>

---

• Prev by Date: Re: (ASCEND) Bottom line on Ascend Security debacle
• Next by Date: RE: (ASCEND) Filters and such...
• Prev by thread: Re: (ASCEND) [rootshell] Security Bulletin #16 (fwd)
• Next by thread: Re: (ASCEND) [rootshell] Security Bulletin #16 (fwd)
• Index(es):
  • Main
  • Thread