Monday, August 27, 2007

Intel adds desktop NAC to latest chips

Intel's move to provide new integration with NAC (network access control) tools in its latest vPro desktop processors could provide interesting opportunities for use with the device authentication systems while further strengthening the technology standards it supports, according to industry watchers.

One of a handful of new security features built into the vPro Core 2 Duo chips introduced by Intel on Monday, the added support for the 802.1x standard for NAC and interoperability with Cisco's Network Admission Control guideline -- delivered via the processors' Intel Embedded Trust Agent -- could help accelerate adoption of the device authentication systems while solidifying support for the two formats, experts said.

NAC systems are used to scan device and user authentication information whenever a machine attempts to log onto to a network protected by the tools. In addition to protecting against potential break-ins from uninvited outsiders, the tools are also considered a useful alternative for enterprises to employ in segregating access to IT systems shared with partners or contractors.

Using the Embedded Trust Agent, Intel said that it can now provide NAC systems -- including any built on the 802.1x or Cisco NAC platforms -- to garner device identity information directly from processor, bypassing the need for the authentication technologies to interact with PC operating system software.

One of the potential methods to circumvent NAC systems outlined by security researchers thus far has been to use some method to spoof or misrepresent device information to dupe the network defense tools. By presenting machine identity data on the processor, such attacks could be largely eliminated, Intel officials said.

While Intel did not promote direct linkage between Embedded Trust Agent and Microsoft's flavor of NAC -- known as Network Access Protection and already integrated into the software giant's Vista OS -- Cisco and Microsoft have previously announced an agreement to make all of their respective network authentication systems compatible.

Similar support for NAC on mobile platforms will arrive with Intel's next batch of Centrino chips, slated for shipment sometime in 2008, said company officials.

Cisco officials participating in Intel's vPro launch said that the CPU-level NAC integration could prove to be a significant accelerant to adoption of the technology, which most industry experts have charted as relatively slow thus far, despite the networking giant's claim that many of its customers are tuning on the next-generation authentication systems.

"The strength of NAC is certainly based on the reliability of the information that you can present to the network, and having direct access to information on the hardware provides a whole new opportunity that hasn't been present only with OS interaction," said Brendan O'Connell, senior product manager for Cisco's Security Technology Group.

"In the past, even with existing NAC systems, what's happened is that when a PC starts up on the network, the security decision is held off while other things are being run in the background, but we're hoping to see that change and get in the door earlier," he said. "There are some big advantages for getting this type of information to present device security posture assessment sooner in the process, both for desktops and down the road for other types of devices."

Wednesday, August 22, 2007

Crash bug blights Cisco IP phones

Cisco has advised users to update the firmware on some of its IP phones following the discovery of two security flaws.

A brace of Session Initiation Protocol (SIP) vulnerabilities in Cisco 7940/7960 IP Phones create the potential for hackers to crash - but not to run exploit code - on vulnerable handsets.

SIP is a signalling protocol for VoIP. The protocol can be used to create two-party, multiparty, or multicast sessions.

Cisco IP Phone 7940/7960 SIP firmware versions prior to 8.7(0) are vulnerable to the denial of service attacks, Cisco warns. Users are advised to update their firmware to version 8.7(0), as explained in its advisory here.

More detail on the vulnerabilities can be found in posts (here and here) to full disclosure mailing lists by the independent security researchers (Radu State, Humberto J Abdelnur, and Olivier Festor) who discovered the bugs.

Monday, August 20, 2007

Cisco IOS Next Hop Resolution Protocol DoS

NHRP is "basically a query-and-reply protocol and all parties through which reply information passes build a 'network knowledge table' that can be used for all subsequent traffic".

A vulnerability in Cisco IOS allows remote denial of service, the following exploit code can be used to test it.

Exploit
Original Advisory

Monday, August 13, 2007

Cisco site blacked out

A Web site blackout yesterday prevented Cisco Systems Inc. customers from retrieving 21 critical patches for about three hours yesterday, shortly after the fixes were posted by the network hardware maker.

Updates for nearly two dozen vulnerabilities in IOS, formerly known as Internetwork Operating System and the controlling software for most Cisco routers and switches, were released around 11 a.m. EDT Wednesday. Cisco.com, however, went dark around 2 p.m. EDT and didn't come back online until about 5 p.m. Today, Cisco blamed "human error" for the site swooning, and added that the severity of the resulting electrical overload prevented the expected redundancies from kicking in.

The 21 patches, deployed in four updates, were posted three hours before the blackout, and would repair IOS against a swath of vulnerabilities, some of which could result in attackers injecting their own code into vulnerable Cisco hardware. Three of the four IOS updates, according to Cisco's advisories, plug holes that attackers can, or might be able to, exploit with remote code.

Internet Storm Center analyst Tom Liston ranked two of the four -- "Secure Copy Authorization Bypass Vulnerability" and "Voice Vulnerabilities in Cisco IOS" -- as especially dangerous, and urged administrators to patch them as soon as possible.

Of the bypass update, Liston said: "[The attacker] needs a log-in, but after that, it's pretty much game-over." The 16 bugs quashed by the voice vulnerabilities update are even scarier, he said. "The others can potentially wait for testing, this [set] can't. Patch now."

Danish vulnerability tracker Secunia, however, rated the bypass bug as "less critical," the second step in its five-mark scoring system, and tagged the voice flaws as "moderately critical," its middle rank.

Thursday, August 9, 2007

Cisco patches serious holes in voice-enabled offerings

Cisco issued four updates that patch a raft of security holes in products running its Internetwork Operating System (IOS). Impacts included sustained denial of service attacks, data leakage and remote execution of code.

The most serious vulnerabilities reside in voice-enabled devices and Cisco Unified Communications Manager, which can allow an attacker to remotely execute malicious code. There are no workarounds for the flaws, which pertain to services such as Session Initiation Protocol, Media Gateway Control Protocol, Signaling protocols H.323, H.254, Real-time Transport Protocol and Facsimile reception.

"This one is bad, as in real bad," Johannes Ullrich, CTO for SANS Internet Storm Center, told The Reg. "I would probably expedite the testing process for that. "The other vulnerabilities, you want to be really careful about testing them and they don't seem to be overly critical."

Vulnerable IOS versions include various flavors of 12.3(4), 12.3(7), 12.3(8), 12.4 Mainline and 12.4T onward. Routers that are configured as SIP Public Switched Telephone Network Gateways and SIP Session Border Controllers are also vulnerable, as is the CAT6000-CMM card.

Other updates addressed a data leakage flaw when using IPv6 routing headers and a weakness in the IOS Next Hop Resolution Protocol that can result in a restart of the device or possible remote code execution.

A fourth patch plugs a hole in some 12.2-based IOS releases when configured to offer Secure Copy server functionality. Those vulnerabilities allow valid users, regardless of privilege level, to transfer files to and from an IOS device. To exploit it, an attacker would have to have access to port 22, which typically is open only on management interfaces.

Nonetheless, Immunity, a company that provides penetration testing tools, plans to add modules to its products that test for the vulnerability, said Kostya Kortchinsky, a senior researcher at the company.

"Anybody can exploit this without any skill in Cisco exploitation," he explained. "It doesn't need any overflow of any kind."

The patches were released the same day Cisco's website was inaccessible for about three hours. A spokeswoman later said the outage was the result of an accident during maintenance that cut off power to a San Jose data center.

Cisco IOS Next Hop Resolution Protocol Buffer Overflow
Cisco IOS IPv6 Routing Header Information Disclosure and Denial of Service
Cisco IOS Secure Copy Security Bypass Vulnerability
Cisco Unified Communications Manager SIP Packet Processing Vulnerability
Cisco Unified MeetingPlace "STPL" and "FTPL" Cross-Site
Scripting

Cisco IOS Voice Service Multiple Protocol Handling Vulnerabilities

Tuesday, August 7, 2007

Cisco wants to be like Apple

In an interview with The Wall Street Journal, Cisco CEO John Chambers says that he wants to build his router company into a force in the consumer electronics field. That is probably not a good idea.

Chambers reasons that his router business will continue to grow at low double digits for several years. Mostly driven by supplying telecom and cable companies with infrastructure, Cisco made $2.2 billion in its last reported quarter on revenue of $8.9 billion.

But, the company does own the Linksys WiFi product and the Scientific Atlanta set-top business. It hopes to re-brand these with the Cisco name. This would put the company up against the largest set-top provider, Motorola's General Instruments division. It would also put Cisco into the home networking business that has chewed up and spit out companies from Microsoft and Intel. Dozens of companies are trying to make money as the hub of home entertainment and connectivity.

It would be a long and very hard war for Cisco. It should stick to its knitting.

Monday, August 6, 2007

Cisco Introduces Innovative New Data Center Virtualization Orchestration Solution

Cisco has announced VFrame Data Center (VFrame DC), an orchestration platform that leverages network intelligence to provision resources together as virtualized services. This industry-first approach greatly reduces application deployment times, improves overall resource utilization, and offers greater business agility. Further, VFrame DC includes an open API, and easily integrates with third party management applications, as well as best-of-breed server and storage virtualization offerings.

With VFrame DC, customers can now link their compute, networking and storage infrastructures together as a set of virtualized services. This services approach provides a simple yet powerful way to quickly view all the services configured at the application level to improve troubleshooting and change management. VFrame DC offers a policy engine for automating resource changes in response to infrastructure outages and performance changes. Additionally, these changes can be controlled by external monitoring systems via integration with the VFrame DC web services application programming interface (API).

"Taking advantage of the ubiquity of the network to orchestrate data center services could help data centers evolve beyond their current siloed functions," said Lucinda Borovick, Director of Data Center Networks, IDC. "This approach has the potential to deliver more efficient application provisioning, reduce costs, and increase IT productivity."

VFrame DC is a highly efficient orchestration platform for service provisioning which requires only a single controller and one back-up controller. The real time provisioning engine has a comprehensive view of compute, storage and network resources. This view enables VFrame DC to provision resources as virtualized services using graphical design templates. These design templates comprise one of four VFrame DC modular components: design, discovery, deploy, and operations. These components are integrated together with a robust security interface that allows controlled access by multiple organizations.