Separate security vulnerabilities could allow attackers to take control of networks running either white box or Cisco switches.
A security researcher is warning about a serious vulnerability in white box SDN switches running the ONIE install utility. Separately, Cisco Systems Inc. (Nasdaq: CSCO) has issued a warning and fix for an equally urgent problem for users of older versions of its own SDN software.
Gregory Pickett, head of cyber-security operations for Hellfire Security's Managed Security Services, is doing demonstrations this week of a serious vulnerability involving the Open Network Install Environment (ONIE). ONIE is open source software, contributed by Cumulus Networks , that runs in firmware on a white box switch and allows users to deploy and change network operating systems without replacing hardware.
"The problem is, if this gets compromised, it also makes it possible for hackers to install malware onto the switch," says Pickett in an abstract for a presentation he plans to deliver at the Black Hat security conference Thursday, and again at Def Con on Saturday.
And the malware can remain persistent even after a network operating system re-install, Pickett says.
The security researcher says he has exploited the vulnerability in the Big Switch Networks Switch Light, Cumulus Linux and Mellanox Technologies Ltd. (Nasdaq: MLNX) Mellanox-OS operating systems. Those operating systems are "not exactly putting up a fight with problems like no authentication, no encryption, poor encryption and insufficient isolation," he says. Pickett says the vulnerability is probably also present in Pica8 Inc. switches, although he hasn't tested to be sure.
Pickett plans to demonstrate the exploit, distribute its source code and also demonstrate fixes for the problems.
"ONIE has a simple job -- to make the switch plug and play," Pickett says. "It's got one job, and nothing else. There's very little security on it."
He adds, "If the network operating system is not doing a very good job of protecting the switch, you have a big wide open door. You don't want to have a brittle platform operating the company."
The key to attackers taking advantage of the flaw is "getting a foothold on an end-user workstation," Pickett says. This can be done by infecting a Windows computer on the network, and then using that computer to infect Linux, as was done with the Stuxnet computer worm.
Cumulus Networks says it's been in touch with Pickett, and they are working to mitigate the problem. A company spokesman said the company will have further information later in the week.
But Big Switch CTO Rob Sherwood dismissed the problem as a non-issue.
The kind of network booting used by ONIE is standard for devices on networks, Sherwood says. Most network operators keep their Big Switch networks isolated from the Internet, which means an attacker would need physical access to the network to take it over.
"Most people have reasonable confidence in the physical security of their network," Sherwood says. "If you have James Bond trying to break into your network, this is one of the ways they can do it."
Security is always a matter of risk vs. benefits, and in most cases, the benefits of network booting outweigh the risks of physical intrusion. That said, some network operators -- such as the US government -- need extra protection, and in those cases, Big Switch is working to support Trusted Platform Module (TPM) hardware for secure booting, Sherwood adds.
Light Reading has queries in to Mellanox and Pica8 as well.
Meanwhile, a recently issued Cisco security advisory warns of a vulnerability in the cluster management configuration of the Cisco Application Policy Infrastructure Controller (APIC) and Nexus 9000 Series ACI Mode Switch that could allow an authenticated remote attacker to access the APIC as root user. Cisco has issued a free software upgrade that addresses the vulnerability.
Cisco had 580 APIC customers as of its last earnings statement, but only customers running software versions prior to 1.1(1j), 1.0(3o) and 1.0(4o) would be affected by this bug.
"The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability described in the Cisco advisory," Cisco said in an emailed statement. "The vulnerability was reported to Cisco during an internal security evaluation, and we took immediate steps ... We discovered the vulnerability, fixed it, and disclosed it so that our customers are protected."
- Huawei Launches Big Data Security Solution
- A New Security Paradigm in SDN/NFV
- Leading Lights Finalists 2015: Most Innovative Security Strategy
- AT&T's Ed Amoroso on Mobile Security