From support@us.external.hp.com Wed Mar 13 01:01:29 1996 Date: Wed, 13 Mar 1996 01:09:25 -0800 From: HPSL Mail Service Reply to: support-feedback@us.external.hp.com To: Damien Sorder Subject: RE: send doc HPSBUX9402-004 -------- ## Regarding your request: Send Doc HPSBUX9402-004 The following are the results of your request from the HP SupportLine mail service. =============================================================================== Document Id: [HPSBUX9402-004] Date Loaded: [02-11-94] Description: Promiscuous mode network interfaces =============================================================================== ----------------------------------------------------------------------- HEWLETT-PACKARD SECURITY BULLETIN: #00004, 10 February 94 ----------------------------------------------------------------------- _______________________________________________________________________ PROBLEM: /dev/nit allows superuser (root) access to network traffic PLATFORM: HP 9000 Series 300, 400, 700, 800 running HP-UX Apollo Token Ring (HP-UX 8.X, 9.X; s700 only) STREAMS-DLPI (HP-UX 9.X) DAMAGE: A superuser (root) on one system can gain account information on other systems. SOLUTION: Prevent users from gaining root access. _______________________________________________________________________ I. /dev/nit A. CERT Advisory A recent CERT advisory (CA-94:01) warned of attacks which "involve a network monitoring tool that uses the promiscuous mode of a specific network interface, /dev/nit, to capture host and user authentication information on all newly opened FTP, telnet, and rlogin sessions." "The intruders first penetrate a system and gain root access" through some vulnerability. Then the intruders exploit the promiscuous mode of the network interface to watch network traffic. Note that the problem is with the intruder gaining access to other systems by exploiting the network interface. CERT suggests that the system protect itself by disabling the network interface or preventing unauthorized superuse access. B. Nature of the Problem HP supports the promiscuous mode on two products: Apollo Token Ring and STREAMS-DLPI (which currently supports only the Ethernet network). While neither have /dev/nit, both allow superuser programs to gain complete access to the network. Essentially, the security vulnerability lies in ANY HP SYSTEM THAT MAKES NETWORK CONNECTIONS across networks where hosts exist that have an intruder who has gained root access and is using a network monitoring tool on a promiscuous mode of a lan interface. The intruder can then gain information about the HP systems which are using the network for a connection. The two HP products mentioned above allow a root user to access the promiscuous mode and can therefore be used by an INTRUDER WHO HAS ALREADY GAINED ROOT ACCESS on the HP system, to learn about OTHER systems which are using the network. So systems with the Apollo Token Ring and STREAMS-DLPI are NO MORE VULNERABLE than any other systems: they just allow intruders that have already cracked the system, by some other means, to EXTEND the intrusion to other systems using the attached network. C. Fixing the problem Hewlett-Packard recommends that all customers concerned with the security of their HP-UX systems PREVENT unauthorized root access. 1. Disabling the interface is not complete protection There are many approaches that an intruder could use even if the network interface were disabled, IF that intruder has already gained root access on the system: a. Regenerate/install a new kernel with promiscuous support The intruder could always create a new kernel that provided promiscuous mode network interfaces, and reboot the system with the new kernel. b. Promiscuous mode is a hardware capability Regardless of software efforts, users must be cognizant that the promiscuous mode is fundamentally a hardware capability of network interfaces. It might take a new driver, kernel pokes, or a complete rewrite of HP-UX: if an intruder has root access and time, the intruder will be able to modify the system to watch network traffic. The best protection is prevention of unauthorized root access. 2. Network security The security of a system is highly dependent on the security of the systems over which network connections are made. a. Physical vulnerability The security of a system can be vulnerable to physical interception of network connections. For example, if machine A telnets to machine B via gateway G, the user who owns gateway G can easily attach a protocol analyzer to the network and watch the network traffic. The intruder must have physical access to the network to use this attack. The SECURITY OF ANY HOST ON INTERMEDIATE NETWORKS can affect the security of the connection, and thus the security of the client and server systems. b. Software vulnerability Instead of a protocol analyzer, a user can modify the system to create a virtual software protocol analyzer. In the above example, the superuser on gateway G could do this to monitor network traffic across the gateway. This is the threat addressed by the CERT advisory: an unauthorized user gains superuser access to the gateway and creates a network monitoring daemon. c. Connection security The appropriate way to deal with network vulnerability is to be cognizant of the security of intermediate gateways when making network connections. When making connections over gateways with unknown security precautions against unauthorized root access, passwords should be changed frequently: perhaps after each use. ( While trojan programs can watch the entire sessions, most only record the first few hundred bytes, allowing a password change later in the session to go undetected. Of course, the attacks can change to examine larger amounts of traffic, meaning this approach is not complete protection.) CERT suggests that the long-term solution "is to reduce or eliminate the transmission of ... passwords in clear-text over the network." d. Firewall machines Routers exists that can screen network traffic and allow only certain packets to cross between networks. Using such routers, companies can isolate their networks from the Internet "backbone" with systems called firewall machines. Such systems prevent direct "outside"<->"inside" communications, forcing users to go through the firewall machines. These machines are then used as the focal point of preventing intrusion: they can implement harsh security procedures and monitor incoming traffic. In addition, a company's internal network structure should be partitioned with a similar firewall structure. Network traffic from any particular host should NOT travel across every system in the company. The networks should be partitioned into logical "traffic" units which isolate groups of hosts that communicate mainly with each other. This limits the exposure of network traffic and minimizes the potential "snooping" hazard. These could also be isolated from the rest of the company with a firewall machine, if required. 3. Disabling Promiscuous Mode A user could disable promiscuous mode by: 1. Removing STREAMS-DLPI from system and use LLA instead. 2. Removing the Apollo Token Ring card/driver from system. As noted above, this approach is NOT RECOMMENDED because the root intruder can modify the system to re-enable the mode, and because of the resulting loss of functionality of this solution. While CERT suggests that users could disable promiscuous mode to prevent intruder abuse, any intruder with root access could re-enable the promiscuous mode. The intruder could just re-install STREAMS-DLPI and reboot. Watch for reboots and the re-installation of STREAMS-DLPI. 4. Prevent Root Intrusions For details on maintain security on your HP-UX system, HP offers the following: HP-UX System Security (HP p/n B2355-90045) The standard security manual for HP-UX. HP Remote Watch User's Guide (HP p/n H2534-90022) Manual for HP's security monitoring program. In addition to the security suggestions presented in all of the HP-UX documentation ("Administering ARPA Services", etc), many third-party books exist which discuss UNIX security precautions. HP does offer B1-level-secure (BLS) versions of HP-UX, releases 9.08 for the series 800 and 9.09 for the series 700. A manual on network security for the BLS system is "Network Security Administrator's Guide" (HP p/n 5960-1661). D. Recommended Solution To reiterate, the security vulnerability exists with intruder snooping of network connections that run through systems that have been root-violated and are, as a result, running network monitoring daemons. The recommended solution is to be cognizant of the security of intermediate networks in network connections, and make sure hosts on those networks prevent root violation; or change passwords frequently when using unsecure intermediate networks. ----------------------------------------------------------------------- To subscribe to automatically receive NEW future HP Security Bulletins from the HP SupportLine mail service via electronic mail, send the following in the TEXT PORTION OF THE MESSAGE to support@support.mayfield.hp.com (no Subject is required): subscribe security_info To retrieve the index of all HP Security Bulletins, send the following: send security_info_list To obtain a copy of the HP SupportLine mail service user's guide, send the following: send guide.txt For security concerns, write to: security-alert@hp.com -----------------------------------------------------------------------