Vulnerability

    ServerIron

Affected

    Foundry Networks ServerIron 5.1.10T12 (tested) and probably other versions including 6.0 (untested)

Description

    Andrew van  der Stock  found following.   Foundry Networks  sell a
    range  of  layer  2-7  switches,  "ServerIron" and closely related
    products   "BigIron",   "FastIron   II",   "TurboIron",  "FastIron
    Workgroup", "FastIron Backbone", and "NetIron".  The main use  for
    ServerIrons is to sit  in front of one  or more hosts and  provide
    scalable, fault tolerant  service, such as  SMTP or DNS  by faking
    IP addresses and distributing load among a farm of servers.

    The  vulnerability  is  the  ServerIron's  management  IP  address
    exposes the  ServerIron's rather  poor TCP/IP  implementation. The
    nmap rating for sequence predictability is "0 - trivial joke".  An
    "early" paper on this issue dates back to 1985, and is the subject
    of   a   five   year   old   CERT   advisory.    With   common  IP
    spoofing/hijacking tools like "hunt",  it is possible to  craft an
    easy  DoS;  a  more  determined  attacker  can  use commonly known
    techniques to spoof or hijack sessions.

    The ServerIron management address exposes telnet and snmp  access,
    and starting with  version 6.0 of  the firmware, a  web management
    interface on port  80. Regardless of  the security concerns  posed
    by clear  text management  protocols, the  management IP  stack is
    poorly implemented.  In  fact, the increase in  sequence numbering
    is not  RFC compliant  (793, 1948)  - even  though the initial RFC
    798  has   inherently  predictable   ISN  and   not  a   desirable
    implementation.

    The  ISS  is  incremented  by  1  for each connection, and is thus
    easily  spoofable  and  hijackable.   The  predictability  exposes
    sideband information about when the switch is being used by  other
    (possibly  legitimate)  users.   The  faked  IP addresses have the
    predictability of the  hosts behind the  switch.  For  example, if
    the ServerIron is hosting an IP address w.x.y.z pointing to a farm
    of  Linux  2.2.10  servers,  the  ISN predictability of IP address
    w.x.y.z is that of Linux 2.2.10.

Solution

    For  Foundry  ServerIron  owners,  there  is a new firmware image,
    6.0.03,  which  fixes  a  small  number  of  other  bugs which are
    definitely worth the upgrade.  Please see the Foundry support  web
    site for the release notes and to grab a copy of the new  firmware
    image.  This firmware revision also has support for the new native
    sshd  implementation  add-on.   ssh  support  in  a  router  is an
    excellent security feature.

    Additional security for your core network; get the new Foundry ssh
    implementation and use it. Filter off telnet, http and SNMP access
    to the Foundry devices to  only those management IP addresses  you
    trust; or  better yet,  disable SNMP  and the  web interface  (6.0
    firmware),  and  completely  filter  off  telnet  access.   Remote
    management access is then only available via serial console (which
    is  hopefully   secured  from   unauthorized  access).    Use   an
    unroutable private  address on  the same  wire or  a new interface
    for  all  your  management  traffic  and  block  it on your border
    routers.  Use  Access Rate control  to stop DoS-levels  of packets
    to your  management IP  addresses.   Use TACACS[+]/RADIUS  to move
    authentication to a trusted host.