-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ---------------------------------------------------------------------- - ---- InvisibleNet Security Advisory ISA 1-1a security@invisiblenet.com http://www.invisiblenet.com December 12th, 2002 - report issued by 0x90 - ---------------------------------------------------------------------- - ---- Subject: Adelphia PowerLink Network (http://powerlink.adelphia.com) vulnerable to Arp Poisoning attacks and Promiscuous mode Sniffing. Vulnerability: Arp Poisoning and monitoring of Subnet(s) Problem-Type: remote OS Specific: N/A Problem Description: A certain set of subnets on Adelphia's Powerlink network are treated as a HUB/SWITCH and therefore allow cable modem subscribers promiscuous monitoring of the subnet, and arp poisoning (man in the middle) attacks. Upon finding this flaw, it seems to only affect windows users dhcp requests, as for *nix it hands off an entirely different subnet ip address that is not vulnerable. This doesn't stop one from booting into *nix and manually configuring their ip to be on the vulnerable subnet. To review, with arp poisoning, one can do a tremendous amount of malicious activity on a subnet, from DoS'ing the network, to hijacking DNS servers, and even attacking/cracking SSL/SSH/VPN negotiations. Promiscuous mode, one can passively monitor all traffic on the subnet, obtaining private information, including logins/passwords, and private email. Vulnerable Subnets: please contact security@invisiblenet.com for info regarding specific subnets. Solution: The solution is varying on how the cable networks topology is handled, and arp poisoning, as we know is not a completely solvable issue without a physical/virtual separation of Layer 3 from Layer 2 in the OSI Model. For promiscuous mode, don't have the network in HUB mode. Patch: N/A. Disclaimer: InvisibleNet is not responsible for the misuse of any of the information we provide on this website and/or through our security advisories. Our advisories are a service to our customers intended to promote secure installation and use of InvisibleNet products. - --0x90-- I'd crawl over an acre of "Visual This++" and "Integrated Development That" to get to gcc, Emacs, and gdb. Thank you. -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com> iQA/AwUBPfjpkTep2+UpsNFNEQIWlACg/Vf44LuQHkdwaotTTN2oOBlKAD0AniS2 gSXaIhcrh+Q5j9Po3Ct8BeYx =CS8m -----END PGP SIGNATURE-----