Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:3284
HistoryJul 29, 2002 - 12:00 a.m.

Phenoelit Advisory 0815 ++ -- Brick

2002-07-2900:00:00
vulners.com
16
JSON

Phenoelit Advisory <wir-haben-auch-mal-was-gefunden #0815 +ยฑ>

[ Authors ]
FX <[email protected]>
kim0 <[email protected]>

    Phenoelit Group &#40;http://www.phenoelit.de&#41;
    http://www.phenoelit.de/stuff/Lucent_Brick.txt

[ Affected Products ]
Lucent
LSMS 5.5 (Lucent Brick, Bridging VPN Firewall)

    Lucent Bug ID:  Not assigned

[ Vendor communication ]
06/28/02 Reply to inquiry regarding "who to notify"
06/29/02 Initial Notification to Brick team
*Note-Initial notification by phenoelit
includes a cc to [email protected] by default
07/02/02 Ack. of receipt by Lucent Brick team
07/06/02 Weekly follow-up by central POC at
Lucent (Right on Time)
07/08/02 Additional tech-discussions
07/19/02 Notification of intent to post publically
in apx. 7 days.
07/25/02 Notification that due to personnel changes at
Lucent,
our POC has changed. The new person is
supposed to be
contacting usโ€ฆ

[ Overview ]
The Lucent Brick VPN Firewall is a layer 2, NCSA, US Army, and
US National Security Agency (NSA) Approved/Certified Firewall
that
operates on Inferno, an Embdedded Operating System. "Brick"
devices
come in many sizes from the SOHO Brick 20 to the Enterprise
1000(GiG).

[ Description ]
The Brick suffers from several design failures in handling of
the ARP
protocol.

    1. It is possible to interrupt any connection between the

Brick and
critical devices such as the LSMS (Brick Management Server) by
binding the IP Address of the device in question to the
attackers
interface and "pinging" the Brick or any address behind it.
The Brick
will immediately update its ARP cache and drop the connection,
no matter
where the attacker is located (internal/outside segment). This
requires the "Floating MAC" setting to be turned on.

    2. The Brick will forward any ARP request and response across

all
interfaces, regardless of the existing firewall rules.

    3. All Bricks are identifiable during reconnaissance using the

most
basic of techniques (pinging all addresses in segment). The
device
that sends ARP requests for the attacker IP address is the
Brick.

[ Example ]
1. # man ping
2. # man arp
3. # for i in า‘cat ipaddresses.txtา‘; do ping $i; done

[ Solution ]
None known at this time.

[ end of file ]

JSON