Phenoelit Advisory 0815 ++ -- Brick

Sat, 27 Jul 2002 09:40:33 -0700 


-- 
            kim0   <[EMAIL PROTECTED]>
        Phenoelit (http://www.phenoelit.de)
90C0 969C EC71 01DC 36A0  FBEF 2D72 33C0 77FC CD42

Phenoelit Advisory <wir-haben-auch-mal-was-gefunden #0815 ++->

[ Authors ]
        FX              <[EMAIL PROTECTED]>
        kim0            <[EMAIL PROTECTED]>     

        Phenoelit Group (http://www.phenoelit.de)
        http://www.phenoelit.de/stuff/Lucent_Brick.txt

[ Affected Products ]
        Lucent    
                        LSMS 5.5 (Lucent Brick, Bridging VPN Firewall)

        Lucent Bug ID:  Not assigned

[ Vendor communication ]
        06/28/02        Reply to inquiry regarding "who to notify"
        06/29/02        Initial Notification to Brick team
                        *Note-Initial notification by phenoelit
                        includes a cc to [EMAIL PROTECTED] by default
        07/02/02        Ack. of receipt by Lucent Brick team
        07/06/02        Weekly follow-up by central POC at
                        Lucent (Right on Time)
        07/08/02        Additional tech-discussions
        07/19/02        Notification of intent to post publically
                        in apx. 7 days.
        07/25/02        Notification that due to personnel changes at Lucent, 
                        our POC has changed. The new person is supposed to be 
                        contacting us...

[ Overview ]
        The Lucent Brick VPN Firewall is a layer 2, NCSA, US Army, and 
        US National Security Agency (NSA) Approved/Certified Firewall that 
        operates on Inferno, an Embdedded Operating System. "Brick" devices 
        come in many sizes from the SOHO Brick 20 to the Enterprise 1000(GiG).
        
[ Description ]
        The Brick suffers from several design failures in handling of the ARP   
        protocol.  

        1. It is possible to interrupt any connection between the Brick and 
        critical devices such as the LSMS (Brick Management Server) by 
        binding the IP Address of the device in question to the attackers 
        interface and "pinging" the Brick or any address behind it. The Brick
        will immediately update its ARP cache and drop the connection, no matter
        where the attacker is located (internal/outside segment). This
        requires the "Floating MAC" setting to be turned on.

        2. The Brick will forward any ARP request and response across all 
        interfaces, regardless of the existing firewall rules.

        3. All Bricks are identifiable during reconnaissance using the most 
        basic of techniques (pinging all addresses in segment).  The device 
        that sends ARP requests for the attacker IP address is the Brick.

[ Example ]
        1. # man ping
        2. # man arp
        3. # for i in �cat ipaddresses.txt�; do ping $i; done 

[ Solution ]
        None known at this time. 

[ end of file ]

Reply via email to