NOTE TO MODERATORS: If you choose to post a technical debate including Mr. hellNbak's reply, please include my follow-up post. I question whether or a not a documented flaw is worthy of post-alert debate, when this should have been resolved by the research organization and ISS prior to publication. It is questionable across all charters of the lists here. Since NMRC is essentially republishing an ISS document in this 'advisory', this is typically referred to as a security Alert, not an Advisory, since it is not original security content. ---- Mr. hellNbak, I have made two inquiries to you via email about reproducing this problem, with no response. What you are referring to is an escalation of privilege, from a console that already has been configured and keyed by the sensor administrator. We confirm this in our security bulletin in the ISS KB. For a remote attacker to obtain the keys to establish a session, the /Keys directory on the IPSO box would have to be compromised, requiring root privs. It is difficult to 'talk' to someone who describes themselves as "Not too many people know who I am or my true identity and I like to keep it that way. This is not because I have something to hide, or because am trying to hide behind a handle but because in order to keep my work life and personal hacking life separate I must use a handle." I had no way to get in touch with you, besides email. I suggest that NMRC uses more standard procedures in issuing security advisories if you care for them to be precise in the future. We should have been having this conversation before you posted your 'advisory' which was a documented issue since Feb 6, 2002. -Chris PS: I have no further comments regarding this issue. For technically accurate information regarding the flaw, please reference ISS KB #020206-000005. -----Original Message----- From: hellNbak [mailto:hellnbak@nmrc.org] Sent: Thursday, March 21, 2002 1:00 PM To: Rouland, Chris (ISSAtlanta) Cc: nmrcfolk@nmrc.org; bugtraq@securityfocus.com; vulnwatch@vulnwatch.org; focus-ids@securityfocus.com Subject: RE: [VulnWatch] NMRC Advisory - KeyManager Issue in ISS RealSecur e on Nokia Appliances On Thu, 21 Mar 2002, Rouland, Chris (ISSAtlanta) wrote: > > Please confirm that you are able to exploit this, without root accesss > to the IPSO box. Chris, if I set up my own console, why would I need root access to the IPSO box? If I simply set my machine name to starscream and my user to skank I am able to connect and push new keys generated by my console. I am unsure why you would post that "NMRC is unable to confirm that this can be exploited" without actually talking to me first. I just tested it, a second time, and yes, you can connect via the console and root access on the Nokia box is not an issue. The console connects to the control chanell and allows me to push new keys down using the deployment wizard which then allows me to set my new console as the "master controller" and gather alerts, modify policied etc...
