Nokia GGSN (IP650 Based) DoS

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                          @stake Inc.
                        www.atstake.com

                       Security Advisory

Advisory Name: Nokia GGSN (IP650 Based) DoS
Release Date: 06/09/2003
Application: Nokia GGSN (IP650 Based)
Platform: Nokia GGSN (IP650 Based)
Severity: An attacker is able to cause GGSN to kernel panic
Authors: Ollie Whitehouse [[email protected]]
Joe Grand
Brian Hassick
Vendor Status: Informed/Fixed
CVE Candidate: CAN-2003-0368 Nokia GGSN Kernel Panic
Reference: www.atstake.com/research/advisories/2003/a060903-1.txt

Overview:

   Nokia's (http://www.nokia.com) GGSN (Gateway GPRS support

node)
is the platform that exists between Gn and Gi networks within a GPRS
network.

There exists a vulnerability in the TCP stack that allows an
attacker to cause the GGSN to kernel panic and shutdown. This
potentially allows an attacker to crash all data connectivity within
a GPRS based network.

This is a good example of why network elements which introduce IP
functionality to legacy networks should have their functionality
verified in terms of impact on security before deployment in a
production environment.

Technical Overview:

    This vulnerability is exploited by sending a malformed

IP packet with a TCP option of 0xFF over a cellphone to the affected
network.

Vendor Response:

    (see recommendation).

Recommendation:

    @stake worked with Nokia to ensure that all affected

operators
were informed and upgraded and only after this time did @stake agree
to release this information to the public. There should be no action
on the part of the operator required.

Below is the notice that was sent out by Nokia to their clients:

    ---[Nokia Notice]---
    NOKIA CUSTOMER CONFIDENTIAL, GGSN RELEASE 1 VULNERABILITY

    Under exceptional circumstances Nokia GGSN release 1 is
    potentially vulnerable to a "Denial Of Service" style of
    attack from a malicious user equipped with a computer and a
    mobile phone. When the vulnerability is exploited the GGSN
    restarts. There is no damage to the configuration, but some
    charging data may be lost.  Changing a normal Access Point to
    tunneled (GRE or IP in IP) prevents the attacks from mobile
    user side.

    The same applies for the Gi interface though routers and
    firewalls would normally drop this kind of packets. The
    problem has been detected and reported by @stake and has been
    reproduced by Nokia in collaboration with @stake. Nokia and
    @stake are jointly working to eliminate the problem.

    This vulnerability is corrected in IPSO version 3.4 and all
    subsequent versions. Thus, GGSN release 2 is not vulnerable,
    GGSN release 1 is. Nokia advices all the customers still
    running GGSN release level 1 to upgrade on GGSN release level
  
    2.

    As an interim measure operators can perform the following
    preventative configuration changes to their networks. Ensure
    that all IP packets  with non standard IP options are dropped
    by boarder firewalls on the  Gi interface. Within the Gn
    network ensure that the GTP aware firewall (if present) also
    drops all encapsulated IP packets with non standard  IP
    options. This may introduce latency however it will mitigate
    against the attack until the patch has been fully deployed
    and tested.

    Due to the severity of this vulnerability @stake has
    confirmed that they will not be releasing this information
    publicly on their research page
    (http://www.atstake.com/research/)
    until Nokia has confirmed that all affected operators have
    fully patched and tested all affected elements. However
    @stake would ideally like to  release this information no
    later than 1st June 2003.

    Neither @stake nor Nokia are aware of this attack being used
    in the wild as it was discovered by @stake within a lab
    environment and subsequently tested on a number of operators
    for whom they have worked for.
    ---[End Nokia Notice]---

Common Vulnerabilities and Exposures (CVE) Information:

The Common Vulnerabilities and Exposures (CVE) project has assigned
the following names to these issues. These are candidates for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.

CAN-2003-0368 Nokia GGSN Kernel Panic

@stake Vulnerability Reporting Policy:
http://www.atstake.com/research/policy/

@stake Advisory Archive:
http://www.atstake.com/research/advisories/

PGP Key:
http://www.atstake.com/research/pgp_key.asc

@stake is currently seeking application security experts to fill
several consulting positions. Applicants should have strong
application development skills and be able to perform application
security design reviews, code reviews, and application penetration
testing. Please send resumes to [email protected].

Copyright 2003 @stake, Inc. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBPuTExEe9kNIfAm4yEQJHsgCgpE0HSqZM7bkWgmjD+SKlPq6sEysAnAm2
PM135OxtAU1caCKLTLpGbTqD
=9l1f
-----END PGP SIGNATURE-----