During the month of May 2014 we performed an offensive security analysis, trying to find how hard would it be for a low-to-medium skilled attacker to disrupt the core of the Internet (ie. achieve the largest possible impact at the lowest common layer, with minimal resource). This is a confidential report on our results, showing vulnerabilities and incidents which have been properly reported in the meanwhile (authors contacted, CVE assigned, patches written and incidents handled).
The target of our analysis are looking-glasses, web applications hosted by Autonomous Systems to offer restrict public access in order to debug network connectivity issues. We identified them as a possible weak links because:
A succesfull attack on a looking-glass means gaining access to routers console, by just attacking decade-old PHP/Perl scripts.
An attacker could steal credentials or find web-flaws to login and run arbitrary commands on the routers. Even with proper ACL in place, it is easy to escalate privileges by abusing one of many existing techniques, eg. on Cisco [0] and on Juniper [1] routers.
Once there, an attacker can cause great havoc on the network. Low-hanging targets include leaking sensitive informations (eg. private routing plans) and fingerprinting the internal network. Medium-level attacks could encompass redirecting some of internal routing (eg. setting up mirroring interfaces) or performing DoS (eg. by changin OSPF configuration).
High-level attacks would instead be targeted to the Internet: multiple rogue routers announcing malicious BGP routes will effectively disrupt worldwide connectivity.
The last point is basically our motivation to submitting for this bug bounty, as the vulnerabilities and incidents below could have been abused to disrupt the Internet at BGP level from multiple injection points.
All the flaws we found can be categorized as follow:
In particular, we got 6 CVEs assigned and confirmed:
Each report contains full details and timeline on the issue.
Starting from the above CVEs, we performed a brief survey of impacted AS and we observed the following number of incidents:
We privately contacted all the ISP (Cc:ing their national FSIRT) to properly secure the exposed configuration files, and to update mrlg4php to fixed version.
In order to avoid major screw-ups, we proceed as following:
All the process took ~1 month, and was handled in embargo mode and in private as far as possible. We are now reaching the proposed deadline for full public disclosure (16/06) with no pending blockers by software authors and AS.
Once the embargo is over we would like to produce more detailed reports on what we found during the study, as such we are submitting an academic paper to WOOT’14 and a talk at DEFCON’14. Both are current under embargo and pending review, but we can attach them, if requested, under an informal non-disclosure agreement.
[0] Cisco bulletin: cisco-sr-20130318-type4
[1] Juniper bulletin: JSA10420