Forgot your password?
Close
typodupeerror
Security Networking IT

Remote Malware Injection Via Flaw In Network Card 49

Posted by timothy from the just-where-you-least-expect-it dept.
kfz-versicherung writes "During the CanSecWest international conference in Vancouver, members of ANSSI described how an attacker could be able to exploit a flaw to run arbitrary code inside some network controllers (full presentation; PDF). The attack uses routable packets delivered to the victim's NIC. Consequently, multiple attacks can be conducted including man-in-the-middle attacks on network connections, access to cryptographic keys on the host platform, or malware injection on the victim's computer host platform."
This discussion has been archived. No new comments can be posted.

Remote Malware Injection Via Flaw In Network Card More

Remote Malware Injection Via Flaw In Network Card

Comments Filter:

  • For a little piece of mind (Score:5, Informative)

    by trifish ( 826353 ) on Saturday March 27, 2010 @06:01PM (#31643016)

    If you dig into TFA, you'll find this:

    "However, the attack presented only applies to a specific network card model (Broadcom NetXtreme) whenever a remote administration functionality (called ASF for Alert Standard Format 2.0) is turned on (it is off by default) and configured. According to vendors, this functionality is far from being widely used. As a consequence, this vulnerability is really likely to have a very limited impact in practice."

  • +++ATH0 (Score:1, Informative)

    by Anonymous Coward on Saturday March 27, 2010 @06:19PM (#31643132)

    NO CARRIER

  • ASF hero (Score:5, Informative)

    by juventasone ( 517959 ) on Saturday March 27, 2010 @06:23PM (#31643184)
    Since none of our clients use ASF, I have manually disabled it on every build I've done. Contrary to the article, many have it enabled by default. Why did I bother? I am a minimalist. I figured having an unused feature enabled could only potentially introduce problems.

  • only unpatched Broadcom NetXtreme w/ circumstances (Score:4, Informative)

    by electrogeist ( 1345919 ) on Saturday March 27, 2010 @06:34PM (#31643246)
    The summery left that out.

    4. How can I find out if my machine is vulnerable?

    Any computer using Broadcom NetXtreme chips with ASF activated and configured is vulnerable. Users of such computers should apply the official patches (see 6). Other vendor cards and other cards models are not impacted by this vulnerability. Machines using Broadcom NetXtreme chips when ASF has never been configured (Requires to launch the Broadcom ASF configuration tool) are not vulnerable but patching is highly recommended.

    5. How can I protect my computers from such an attack?

    If your computer is vulnerable to this attack you can either (in order of preference):

    • 1. apply the vendor patch (see 6) ;
    • 2. deactivate ASF. This should be done using the Broadcom ASF Configuration tool and not by turning off ASF in the BIOS of the machine;
    • 3. configure all your network packet-filters to filter UDP ports used by ASF (623 and 664).

    Please note that some operating systems actually deactivate ASF at boot time. Some operating systems or hypervisors might also take advantage of hardware technologies such as Intel Vt-d and AMD I/OMMUs that would limit the impact of the attack.

  • Re:+++ATH0 (Score:5, Informative)

    by erroneus ( 253617 ) on Saturday March 27, 2010 @06:38PM (#31643272) Homepage

    Love that comment! Too bad it was done anonymously, you deserve credit for the genius of its simplicity and clarity. "device vulnerabilities" have been around a long time. I used to make people on IRC lose their connections by sending specially crafted PING packets which would contain "+++ATH0" resulting in an immediate disconnection. I had one poor schmuck who patched and recompiled his Linux kernel like 6 or 7 times as he thought I was hacking his "computer" rather than exploiting his modem. His logs showed an ICMP coming from me followed by an interruption of his network link. He could have done one of two things: disable ping responses or changed a setting in his modem. It was hilariously funny watching the guy struggle though. Finally, I told him what I was doing..."Denwaugh"? Are you out there? Muhahaha! That comment brings back some memories...

    The real point here is that devices are more than bits of hardware -- they are little computers themselves with their own vulnerabilities. Our trust of devices is a problem that is rarely considered.

  • Re:Limited to Broadcom only? (Score:4, Informative)

    by nxtw ( 866177 ) on Saturday March 27, 2010 @07:31PM (#31643524)

    I wonder how secure Realtek's stuff is; their drivers/software leave me to think that their hardware code is ripe for discovery...

    Realtek hardware generally does not have the advanced hardware features found in the fancier Intel e1000(e) and Broadcom tg3.

  • Re:+++ATH0 (Score:3, Informative)

    by Vellmont ( 569020 ) on Saturday March 27, 2010 @08:22PM (#31643794) Homepage


    He could have done one of two things: disable ping responses or changed a setting in his modem.

    Disabling ping is merely a poor workaround. You can exploit it in at least one other way, CTCP also has a ping response. If the victim is running an SMTP server that you can connect to you can get the SMTP server to repeat +++ATH0 via several different tricks. I'm sure there's other services that behave in a similar manner. The only REAL fix is to disable the sequence in the modem.

  • Re:For a little piece of mind (Score:5, Informative)

    by jd2112 ( 1535857 ) on Saturday March 27, 2010 @08:47PM (#31643952)

    However, the attack presented only applies to a specific network card model (Broadcom NetXtreme)

    Which happens to be the most popular network interface chipset used by Dell, HP, and many other manufacturers...

  • Remote management security not good. (Score:3, Informative)

    by Animats ( 122034 ) on Sunday March 28, 2010 @02:27AM (#31645556) Homepage

    IPMI remote management security is worrisome.

    There are Linux utilities for IPMI. [sourceforge.net] It's definitely worthwhile running "ipmiutil discover" on any LAN you control, to find out if anything out there speaks IPMI. It's also worthwhile monitoring your data center's networks for anything happening on UDP ports 663 and 664. If you're not using IPMI, make sure no one else is.

    A big problem with IPMI is that the shipped hardware defaults really matter. If someone ships you a NIC card with IPMI enabled and the password known, you are 0wned at a very low level. IPMI boards offer various levels of authentication, some of which offer good cryptographic security. But one of the options is "no authentication".

    A deeper problem is the possibility that NIC chips might have a default backdoor password built in. Many NIC chips now are designed in China.

    Understand how much you can do via IPMI. You can turn the machine on and off remotely. You can force a reboot. You can change the boot settings. You can change the MAC address. You can override the front panel power and reset switches.(!) You can lock out the keyboard, blank the screen, set up a connection which the computer sees as a hard-wired keyboard, and boot from the LAN. The operating system isn't involved in any of this; it's taking place at a level below that of the main CPU.

    Dell's guidance on IPMI [dell.com] is terrifying. See Figure 3, where IPMI over LAN is being enabled with username "root", no password. This sort of thing is common. The default password on Dell PowerEdge servers is "calvin", on Sun Fire servers its "changeme", in both cases the user is "root"." [cuddletech.com]

    If you try to do it right, turning on all the crypto and using unique random keys for each chassis, someone has to manually type in the encryption key in hex on each new server. Then you need a remote management program which securely holds all the keys. How many shops really do that?

Slashdot Top Deals

Per buck you get more computing action with the small computer. -- R.W. Hamming

Close