This is a known flaw in RealSecure Network Sensor 6.0 build 6.0.2001.141 for Nokia IPSO. It was corrected early this year in build 6.0.2001.141d for IPSO. This flaw is not remotely exploitable. Root privileges are required to obtain public keys from the sensor to allow an initial console connection. NMRC has not been able to confirm that they are able to exploit this flaw. ISS notified users of the 6.0 IPSO sensor in February, and this issue has been documented in our public knowledgebase since February 6, 2002. --- Knowledgebase Article February 6, 2002 Improper Default Entry in iss.access file for RealSecure for Nokia 6.0 HOW BIG IS THE RISK? An administrator could grant escalated privileges to a console, allowing key administrator rights without specifically granting that right An attacker would need root access to the appliance, or would need assistance from an established key administrator to exploit this vulnerability This only affects RealSecure for Nokia This is a low risk vulnerability WHAT IS THE VULNERABILITY? There is a pre-defined Key Administrator included in the iss.access file, starscream_skank, installed by default in RealSecure for Nokia 6.0. An attacker would need a RealSecure 6.0 Console, setup using the machine name of starscream and the user name of skank, to generate the correct public encryption keys. The attacker would then need root access to the Nokia Sensor, in order to transfer the public keys from the Console to the Sensor's /Keys directory, to allow the initial Console connection. The attacker could then copy files to the Sensor's /Keys directory, using the RealSecure Console. Since this vulnerability can only be used in conjunction with root access to the Sensor, it's threat level is assessed by Internet Security Systems as very low. WHAT SYSTEMS ARE AT RISK? Only Nokia IPSO systems, running RealSecure for Nokia 6.0, build 6.0.2001.141 No other RealSecure Sensors are affected RECOMMENDATIONS The work-around is to remove the Key Administrator designation, starscream_skank, from the list of Key Administrators for RealSecure for Nokia 6.0 Sensors which were installed using build 6.0.2001.141 This build has been replaced with build 6.0.2001.141d, available for download here: https://www.iss.net/cgi-bin/download/customer/customer-select.cgi ADDITIONAL INFORMATION For additional information concerning this vulnerability, contact ISS Technical Support at, support@iss.net or 888-447-4861 COMMENTS: ISS received no notice of a security advisory from NMRC. In responsible vulnerability disclosure, the vendor works with the researcher to confirm fix availability (since Feb 02 in this case), edit the advisory for technical content and typographic errors, and to confirm exploitation of the flaw (unconfirmed). The only correspondence from NMRC follows (thread is, NMRC is looking for keys to 2 very old versions of RealSecure to find holes in it, and we are attempting to assist). Our current shipping version of RealSecure is 6.5, so the legitimate value of researching RealSecure 3.0 and 5.0 for flaws is questionable as well. -----Original Message----- From: Ring Zero [mailto:ringzero@www.nmrc.org] Sent: Wednesday, March 20, 2002 12:18 PM To: Lamb, Kris (ISS Atlanta) Cc: 'Phuzzy L0gik'; 'Simple Nomad' Subject: RE: Anomaly in RealSecure Hello Kris, Sorry it's been so long. I found some free time to resume testing on your Real Secure product. I ran some tests on version 6 but with no luck. We need version 5.0. We found a copy of version 3.0, could you send me a key? Or perhaps somehow give me a copy of version 5.0? I've been looking for weeks now and I can't find it anywhere! One other thing, why is [KeyManager\starscream_skank\;] installed by default on the NIDS installation for Nokia? Thanks RZ ------------------------------------------------------------- -------------------------------------------------------------- Chris Rouland Director / X-Force Internet Security Systems, Inc. http://xforce.iss.net crouland@iss.net
