[c-nsp] Vulnerabilities in HTTP server on Catalyst Switches

Fri Jun 10 03:10:39 EDT 2005

John Neiberger [jneiberger at gmail.com] wrote:
> 
> What do you all think? Is there any real security risk by giving
> someone read-only access through CNA? I don't see a downside to it.
> 

Your security guy is right.  Turn off the http server.

Anything you do with separating out access via "planes" is a POLICY decision,
NOT a SECURITY decision.  People like to use their POLICY to enforce SECURITY
but the fact of the matter is that any vulnerability in the http server
completely bypasses your hours of POLICY configration.

This is not a subtle point.  I'm not talking about some "far out chance" that
someone might someday write an IOS vulnerability exploit.  Although it's
not a prerequisite, the various Cisco IOS source code leaks over the
years make exploits slightly easier to craft.  The day has come and past where
a buffer overflow has been exploited in Cisco's code to elevate privileges
from 'outside observer' to 'able to control the router'.

The discussion this list really should be having is why hasn't Cisco
(or anyone else for that matter) started using relatively simple 
prevention measures (if they were, wouldn't it be press release material?),
like OpenBSD has done with W^X, guard pages, randomized memory allocation,
privilege separation, propolice, and many more pieces, integrated into the
kernel and userland.  (Oh, right, everything on IOS runs with the same
privilege level.  I wonder if anyone 0wns route-views.oregon-ix.net ?)

These are not abstract concepts.  IT HAS BEEN DONE AND IT WILL BE DONE AGAIN.
TURN OFF SERVICES YOU DON'T USE TO LOWER YOUR EXPOSURE.  That's the only
'policy' that might actually stop or at least slow an attack to the point
where it might catch your attention.  Well, only if you're looking.
And, if you're looking, it's actually pretty hard to really look in all
the right places.  Don't be suprised if someday, some well funded, anonymous
group can run code on your router via an exploit in the BGP listener,
executed via a worm in one of your peer's routers.  By thsi time, perhaps they
already 0wn most of the Juniper and Cisco internet through this.  The lack of
modern security models and measures on such critical infrastructure hardware
such as this is more than a little scary when you consider the implications!

(You know, OpenBSD's bgpd can handle today's full views in 64MB of RAM, can
load them up in less than a minute, and on halfway decent hardware, can rival
any 7200 NPE.  The limited interface selection is, well, limiting.  T1, T3,
802.11 or 10/100/1000 Ethernet are the only real options.  For several people
on this list, that won't cut it.  For 7200 users, it probably does.)

-c