In the course of a current virtualization research project, I was reviewing a lot of documentation on hypervisor security. While “hypervisor security” is a very wide field, hypervisor breakouts are usually one of the most (intensely) discussed topics. I don’t want to go down the road of rating the risk of hypervisor breakouts and giving appropriate recommendations (even though we do this on a regular base which, surprisingly often, leads to almost religious debates. I know I say this way too often:I’ll cover this topic in a future post ), but share a few observations of analyzing well-known examples of vulnerabilities that led to guest-to-host-escape scenarios. The following table provides an overview of the vulnerabilities in question:
Recently Jozef Pivarník and Matěj Grégr published an excellent write-up on RA Guard & evasion techniques. Amongst others they tested the “undetermined-transport” ACL we described here and here. As it turns out the “workaround” for implementing undetermined-transport on platforms seemingly not supporting it, causes some bad collateral damage: the respective port does not forward any IPv6 packets any more (this was brought to my attention by Roberto Taccon). We had done some tests after applying it (by means of the “workaround”) but we had just looked at fragmented RA packets (which did not get through => test succeeded). So, frankly: the undetermined-transport trick does not make sense at all on the “unsupported platforms”…
Jim Small didn’t notice this either, in his great presentation at the North American IPv6 Summit (which, btw, to the best of our knowledge is the best overview of ACL approaches to counter common IPv6 attacks on the local link).
Furthermore it should be noted that Jozef and Matej describe some really interesting ways to evade current implementations, incl. an evasion variant merely based on extension headers (without fragmentation) that we hadn’t been aware of before. These will be included in these workshops.
Obviously much more research (and vendor scrutiny) is needed as for RA Guard…
have a great week everybody
Due to “popular demand” and given Marc couldn’t join us at the IPv6 Security Summit (as flights into FRA were canceled that day due to snow) we decided to invite him and Antonios Atlasis another time, to present their knowledge, skills & voodoo in two workshops held in Heidelberg, in late June. More details can be found here.
See you all potentially at the Heise IPv6 Kongress, take care
on the [ipv6-ops] mailing list currently there’s some discussion about RA guard support on switches from different vendors.
Stefan, one of our students (btw: working on a topic similar to this session), quickly put together a preliminary list, based on publicly available information (read: the WWW ). Some of you may find this useful; it can be found here. Furthermore on the list this link was mentioned which seems to provide some info as well (albeit potentially not very up-to-date).
If anyone of you has better/more information pls feel free to share by leaving a comment. The IPv6 security comment will thank you for that
just to let you know that all presentations from this year’s TelcoSecDay are published in the interim. (Harald [Welte] couldn’t participate as in the morning of that day FRA airport was closed on short notice).
Next year’s TSD will happen on 03/18/2014.
After being on the market for a few months now, Microsoft started quite a large advertising campaign in Germany for its new Surface RT . We had a comprehensive look at the new tablet PC and here are a few thoughts and impressions:
Running a slightly reduced ARM version of Windows 8, I heard somebody calling it “Windows 8 Home”, which in comparison to older versions hits the spot, Microsoft offers an easily usable interface. Software is reduced to market apps (the minimal run level on a plain Windows is 0, any, and 8, Microsoft, on Windows RT), so you can’t just install your favourite app, or can you?
Just a quick update here: Ivan (who gave the magnificent Virtual Firewalls talk at Troopers recently) blogged about this and some guy added some feedback from an environment with Cisco FEX and “one of the server guys start[ing] a Citrix Netscaler” . See the second comment to his post.
This shows, once more, that the dependencies of various technologies (and what they are used for) must be well understood in cloud/virtualized environments. Complexity … but who do we tell. Y’ all know that, right?
This is a short summary of some selected talks from the second day of this year’s Hack in the Box conference in Amsterdam.
Rethinking the Front Lines by Bob Lord
Bob Lord is currently the Director of Information Security at Twitter. He has worked at numerous companies in the area of security and software engineering.
In his keynote for the second day of HITB13AMS he tackled a topic that has raised a lot of discussions in the past months. His talk was a summary of what twitter does internally to ensure the security of the company and a plea to implement so called security awareness trainings for employees in a sustainable way. (more…)
This is a short summary of some selected talks from the first day of this year’s Hack in the Box conference in Amsterdam.
Abusing Twitter’s API and OAuth Implementation by Nicolas Seriot
Nicolas Seriot (https://twitter.com/nst021) is an iOS Cocoa developer with an interest in privacy and security. He is currently a mobile applications developer and project manager in Switzerland. Nicolas focused his talk on the extraction of consumer tokens that are needed for OAuth to authenticate a consumer to a service provider. These tokens can then be used by rogue applications to gain access to a victims twitter account. (more…)
2 Comments | Posted by Enno Rey
I just had an interesting discussion with Jim Small (who gives the “IPv6 Attacks and Countermeasures” talk at the North American IPv6 Summit next week) about the feasibility of the “undetermined-transport” keyword in PACLs on Cisco 3560 switches (here running IOS 15.0(2)SE). Actually there’s some kind-of funny behavior as for it on that platform (and there’s even some Cisco documentation stating it’s not supported). Let’s have a look, and start with a quick refresher.
Rogue router advertisements pose a significant security and network stability risk in IPv6 networks. That’s why there’s a security feature implemented on certain switches which is called “RA Guard” (see also here). Unfortunately (at least Cisco’s current implementation of) RA Guard can easily be circumvented, e.g. by using the following command from the THC IPV6 attack toolkit:
fake_router26 -E D eth0