can you still trust your NIC?

[Eugen Leitl]

http://www.ssi.gouv.fr/site_article185.html

Can you still trust your network card ?
 
24 March 2010

During the CanSecWest international conference in Vancouver, members of ANSSI
(French Network and Information Security Agency) described how an attacker
could remotely take full control of a particular network card model.

This page gives a summary of the materials that have been presented and aims
at answering questions corresponding to this presentation.

1. Summary

The presentation was entitled bCan you still trust your network card?b. The
talk explained how an attacker could be able to exploit a flaw to run
arbitrary code inside some network controllers (NICs). The attack uses
routable packets delivered to the victimbs NIC. Consequently, multiple
attacks can be conducted including: Man in The Middle attacks on network
connections, access to cryptographic keys on the host platform, or malware
injection on the victimbs computer host platform (see B' 2).

The presentation included a description of the flaw as well as a demo of the
exploitation possibilities. The tools used for the demo, as well as the proof
of concept code were not released during the conference, and will never be.

The slides used for the presentation are available here.

2. An unauthenticated remote attack on a network card! Is it as dangerous as
it seems to be?

An unauthenticated remote attack on a network card is almost the most
efficient attack one can imagine. A remote attacker located anywhere on the
network can take full control of the victimbs network in order to: intercept
all packets sent to and from the victimbs machine and forwards them to an
attacker on the network; perform man in the middle on all unauthenticated
network connexion (such as ARP or DNS) to redirect traffic to target
machines; remotely shutdown, reset or wake up the machine.

Moreover, if no IOMMU is used (see below), the attacker can gain access to
the victimbs computer memory and take full control of the machine.

However, the attack presented only applies to a specific network card model
(Broadcom NetXtreme) whenever a remote administration functionality (called
ASF for Alert Standard Format 2.0) is turned on (it is off by default) and
configured. According to vendors, this functionality is far from being widely
used. As a consequence, this vulnerability is really likely to have a very
limited impact in practice. The vendors issued a patch for this vulnerability
(see B' 5).

3. Is there a proof of concept?

Yes. A proof of concept attack has been demoed during the CanSecWest
conference. It showed how an attacker can remotely shutdown or wake up his
victimbs machine, and fully compromise a COTS operating system machine (Linux
for the demo, but all operating systems are vulnerable).

Please note however that the tools used for the demo, the proof of concept
code and network packets were not provided during the conference and will not
be released.

4. How can I find out if my machine is vulnerable?

Any computer using Broadcom NetXtreme chips with ASF activated and configured
is vulnerable. Users of such computers should apply the official patches (see
B' 6). Other vendor cards and other cards models are not impacted by this
vulnerability. Machines using Broadcom NetXtreme chips when ASF has never
been configured (Requires to launch the Broadcom ASF configuration tool) are
not vulnerable but patching is highly recommended.

Readers are also advised to follow CERT advisories, e.g CERTA-2010-AVI-121

5. How can I protect my computers from such an attack?

If your computer is vulnerable to this attack you can either (in order of
preference):

apply the vendor patch (see B' 6) ; deactivate ASF. This should be done using
the Broadcom ASF Configuration tool and not by turning off ASF in the BIOS of
the machine; configure all your network packet-filters to filter UDP ports
used by ASF (623 and 664).  Please note that some operating systems actually
deactivate ASF at boot time. Some operating systems or hypervisors might also
take advantage of hardware technologies such as Intel Vt-d and AMD I/OMMUs
that would limit the impact of the attack.

6. Where can I find the patch correcting the flaw?

Patches are provided by OEMs in firmware updates for the NICs.

Vendor patches: HP: http://h20000.www2.hp.com/bizsuppor...

7. What is the purpose of publishing this in an international conference?

Our goal is to raise awareness on the security problems related to hardware
vulnerabilities. We believe that this kind of publication should lead to an
improvement of the quality of low level embedded firmware. So far, no
research was performed on network card vulnerabilities.

8.Who might be able to carry a similar attack?

Carrying out an attack similar to the one we presented requires: to identify
a flaw in a NIC embedded firmware; to get sufficient knowledge of the
hardware; to develop tools to identify if and how the flaw will be
exploitable; to craft the correct attack packets and make the exploit stable
on a non standard architecture.

We do not expect to see many of these attacks around in the next few months
of years, but we proved that carrying out such attacks was possible in
practice.

9. Are there other risks related to hardware vulnerabilities?

Hardware components (CPUs, chipsets, graphic adapters, NICs; USB and PCI
devices) generally run embedded software (firmware). Flaws in low level
firmwares could be exploited by attackers for brootkitb concealment or
privilege escalation purposes.

10. What is the French government doing to improve the things as they are
now?

ANSSI has been repeatedly raising awareness in scientific and technical
conferences about the attack vectors related to hardware components. ANSSI
have been talking to hardware vendors to explain why they should care about
security of their hardware and embedded firmware design.

About ANSSI

The ANSSI was established by a decree issued in the Journal Officiel de la
RC)publique FranC'aise of July 8th, 2009. The creation of the French Network
and Information Security Agency is a milestone in the process of improving
Francebs capability to protect its sensitive information systems.

The core missions of the new agency are: To detect and early react to cyber
attacks, thanks to the creation of a strong operational center for cyber
defence, working round-the-clock and being in charge of the continuous
surveillance of sensitive Governmental networks, as well as the
implementation of appropriate defence mechanisms; To prevent threats by
supporting the development of trusted products and services for Governmental
entities and economic actors; To provide reliable advice and support to
Governmental entities and operators of Critical Infrastructure; To keep
companies and the general public informed about information security threats
and the related means of protection through an active communication policy.

ANSSIbs work on trusted computing and low level security

ANSSIbs scientific publication are collected here.