[Cryptography] practical verifiable systems -- forensic and otherwise, cheap and otherwise

Jerry Leichter leichter at lrw.com
Thu Mar 5 09:35:16 EST 2015 

On Mar 5, 2015, at 7:16 AM, Steve Weis <steveweis at gmail.com> wrote:
> Invisible Things Labs presented some exploits against vPro at Blackhat in 2009, so exploiting these LOM systems has been in the grasp of a couple independent researchers for years:
> https://www.blackhat.com/presentations/bh-usa-09/TERESHKIN/BHUSA09-Tereshkin-Ring3Rootkit-SLIDES.pdf
> 
> My experience with LOM systems in practice is that they are garbage and barely do their intended job, much less do it securely.
I've spent way too many years working on system and network management software that had to interface to the remote interfaces of all kinds of vendor equipment.  It's uniformly dreadful from the point of view of security.

Recent example:  NetApp sells high-end disk arrays.  The management system for them is based on SOAP over HTTPS.  (I think you can configure it to use HTTP, but let's not go there.)  Older versions of the software - way too recent for there to be any excuse for this - supported only SSLv3.  More recent versions support both SSLv3 and TLS1.0 - but TLS support is off by default.  I don't know if any versions of the software support the latest TLS versions.

There appear to be many NetApp devices out there running either old software, or software in the default configuration - so managing them requires SSLv3.  We've had to explicitly re-enable support for (outgoing) SSLv3 in our software (Java - SSLv3 support is off by default starting with Java 7) just to talk to these things.  I hate putting stuff out there that supports a protocol that's been considered vulnerable and deprecated for, what, a decade - but I have no choice.

The reason vendors get away with this is that most customers - the groups that manage the data centers - seem to (implicitly) take that attitude that "This stuff is all on internal networks, we don't need to worry about security.  Besides, we manage the systems, we don't look at the actual data - that's Someone Else's Problem".  The basic attitudes haven't changed in 20 years.  (The managed systems and the protocols have gotten immensely more complex over that time.  Also, the great trend has been to make everything configurable in software.  At one time, you could monitor remotely, but significant changes required either using the command line - often over a hard-wired port - or actual physical access.  All that's gone now; it's "nothing but net".  And of course *everything* is accessed through a window in some browser - so now the damn browser is part of your core management function.  None of these trends, needless to say, have helped matters.)

Side note:  You might think, hey, maybe there's a market here for a browser designed for industrial, not consumer, applications.  Support just the bare minimum needed; throw out all the cruft needed for consumer movie sites and such.  Unfortunately, there's no hope in that direction:  While the Intel examples in that presentation show pretty basic Web pages, the management pages presented by many other devices are full of the latest fancy gimmicks.  Hey, it's the Web, it's supposed to look flashy!  Not to mention that convincing the guy who wants to use these interfaces to run two browsers - you *know* he's watching cats on Youtube during slower moments - is a non-starter.

                                                        -- Jerry

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150305/58ea3cef/attachment.html>

More information about the cryptography mailing list