Heads-up on security aspects of looking-glass deployments

Luca BRUNO lucab at debian.org
Tue Jul 1 09:39:08 UTC 2014

Hi all,
we recently performed a broad-scope security review of some commonly 
deployed open-source looking-glass software, and we discovered 
several bugs and misconfigurations which you may want to check if
concerning your infrastructure. 

Firstly, affected software and issues are as follow:
 * mrlg4php
   - CVE-2014-3927: Remote command injection to router's console via "argument" parameter
 * cougar-lg
   - CVE-2014-3926: XSS in <title> via "addr" parameter
   - CVE-2014-3928: Unsafe configuration file path/ACL
   - CVE-2014-3929: Unsafe SSH keypairs path in default config
 * cistron-lg
   - CVE-2014-3930: Unsafe configuration file path/ACL
 * mrlg
   - CVE-2014-3931: Remote memory corruption in fastping (SUID binary)

Some of these bugs (in particular 3927, 3928, 3929, 3930) may directly
or indirectly result in exposed IPs, usernames, passwords, 
SSH private keys and remote command injection to router's console. 
Depending on the specific infrastructure setup, this may translate 
into an attacker having live access to routers CLI.

During the study, we detected around 45 incidents somehow related 
to above bugs, which we have already reported to concerned NOC 
contacts, whois contacts and national FSIRTs for further handling.
Advanced private disclosure to concerned entities was performed 
on 06/02.

For specific details, full advisories are available for each issue:
 * http://www.s3.eurecom.fr/cve/CVE-2014-3926.txt
 * http://www.s3.eurecom.fr/cve/CVE-2014-3927.txt
 * http://www.s3.eurecom.fr/cve/CVE-2014-3928.txt
 * http://www.s3.eurecom.fr/cve/CVE-2014-3929.txt
 * http://www.s3.eurecom.fr/cve/CVE-2014-3930.txt
 * http://www.s3.eurecom.fr/cve/CVE-2014-3931.txt

Apart from one case where the author is unreachable and one that 
as been marked as "wontfix", all the issues have been fixed by 
software authors. Incidents related to misconfigurations have been
handled on a case-by-case basis, and no disclosure-delaying cases
exist at this time (to the best of our knowledge).

If you have any specific questions on the topic, feel free to ask 
either here on NANOG or by reaching me in private.

 Luca & Mariano

  .''`.  |               ~<[ Luca BRUNO ~ (kaeso) ]>~
 : :'  : | Email: lucab (AT) debian.org ~ Debian Developer
 `. `'`  | GPG Key ID: 0x3BFB9FB3       ~ Free Software supporter
   `-    | HAM-radio callsign: IZ1WGT   ~ Networking sorcerer

More information about the NANOG mailing list