mailing list archives
RE: NMRC Advisory - KeyManager Issue in ISS RealSecure on Nokia A ppliances
From: "Rouland, Chris (ISSAtlanta)" <CRouland () iss net>
Date: Thu, 21 Mar 2002 10:18:45 -0500
This is a known flaw in RealSecure Network Sensor 6.0 build 6.0.2001.141 for
Nokia IPSO. It was corrected early this year in build 6.0.2001.141d for
IPSO. This flaw is not remotely exploitable. Root privileges are required
to obtain public keys from the sensor to allow an initial console
connection. NMRC has not been able to confirm that they are able to exploit
ISS notified users of the 6.0 IPSO sensor in February, and this issue has
been documented in our public knowledgebase since February 6, 2002.
February 6, 2002
Improper Default Entry in iss.access file for RealSecure for Nokia 6.0
HOW BIG IS THE RISK?
An administrator could grant escalated privileges to a console, allowing key
administrator rights without specifically granting that right
An attacker would need root access to the appliance, or would need
assistance from an established key administrator to exploit this
This only affects RealSecure for Nokia
This is a low risk vulnerability
WHAT IS THE VULNERABILITY?
There is a pre-defined Key Administrator included in the iss.access file,
starscream_skank, installed by default in RealSecure for Nokia 6.0. An
attacker would need a RealSecure 6.0 Console, setup using the machine name
of starscream and the user name of skank, to generate the correct public
encryption keys. The attacker would then need root access to the Nokia
Sensor, in order to transfer the public keys from the Console to the
Sensor's /Keys directory, to allow the initial Console connection. The
attacker could then copy files to the Sensor's /Keys directory, using the
RealSecure Console. Since this vulnerability can only be used in conjunction
with root access to the Sensor, it's threat level is assessed by Internet
Security Systems as very low.
WHAT SYSTEMS ARE AT RISK?
Only Nokia IPSO systems, running RealSecure for Nokia 6.0, build
No other RealSecure Sensors are affected
The work-around is to remove the Key Administrator designation,
starscream_skank, from the list of Key Administrators for RealSecure for
Nokia 6.0 Sensors which were installed using build 6.0.2001.141
This build has been replaced with build 6.0.2001.141d, available for
For additional information concerning this vulnerability, contact ISS
Technical Support at, support () iss net or 888-447-4861
ISS received no notice of a security advisory from NMRC. In responsible
vulnerability disclosure, the vendor works with the researcher to confirm
fix availability (since Feb 02 in this case), edit the advisory for
technical content and typographic errors, and to confirm exploitation of the
flaw (unconfirmed). The only correspondence from NMRC follows (thread is,
NMRC is looking for keys to 2 very old versions of RealSecure to find holes
in it, and we are attempting to assist). Our current shipping version of
RealSecure is 6.5, so the legitimate value of researching RealSecure 3.0 and
5.0 for flaws is questionable as well.
From: Ring Zero [mailto:ringzero () www nmrc org]
Sent: Wednesday, March 20, 2002 12:18 PM
To: Lamb, Kris (ISS Atlanta)
Cc: 'Phuzzy L0gik'; 'Simple Nomad'
Subject: RE: Anomaly in RealSecure
Sorry it's been so long. I found some free time to resume testing on your
Real Secure product. I ran some tests on version 6 but with no luck.
We need version 5.0. We found a copy of version 3.0, could you send me a
key? Or perhaps somehow give me a copy of version 5.0? I've been looking
for weeks now and I can't find it anywhere!
One other thing, why is [KeyManager\starscream_skank\;] installed by default
on the NIDS installation for Nokia?
Director / X-Force
Internet Security Systems, Inc.
crouland () iss net
- RE: NMRC Advisory - KeyManager Issue in ISS RealSecure on Nokia A ppliances Rouland, Chris (ISSAtlanta) (Mar 21)