Hacker back door into ISPs 17 July 2001
More than 20 per cent of ISPs may be affected, according to a worldwide alert.
The vulnerabilities may allow attackers to take control of networks or launch denial of service attacks against critical network components.
Virtual private networks could be compromised and hackers could open almost undetectable back doors to systems and take control of protected infrastructure or data on a network, according to the Australian experts who discovered the problems.
Remote Authentication Dial-In User Servers (RADIUS), made by US-based companies Lucent and Merit, are affected. They are widely used by ISPs, government offices and businesses that allow remote dial-in.
The problems were detected by members of Internet Security Systems (ISS) X-Force anti-hacker teams working in Sydney and Atlanta.
The alert says RADIUS was designed to manage user authentication into dial-up terminal servers and similar devices, but has since been used as a standard for access control and user authentication for numerous internet infrastructure devices, including routers, switches, and 802.11 wireless access points.
RADIUS is typically implemented as a secure access control solution for critical network components, and is implemented as a supplement to weak security measures provided in 802.11b specifications.
ISS says the vulnerabilities affect Merit 3.6b RADIUS and Lucent 2.1-2 RADIUS, and perhaps other systems based on the Lucent code.
Lucent RADIUS, considered the de facto industry standard, is no longer maintained by Lucent, but has been taken over by Simon Horms of VA Linux Systems.
Merit has issued a patch for its RADIUS and one is being developed for Lucent RADIUS.
ISS Australia general manager Kim Duffy said it was likely that more than 20 per cent of ISPs were affected.
"Many organisations use RADIUS as part of their network," he said.
"Because so many people are logging in through the internet or VPNs (virtual private networks) RADIUS servers are very, very common," he said.
ISS principal consultant for Australasia, Grant Slender, said a hacker could take control of the RADIUS, get control of the network and simulate anybody's user account.
"They could access anything you are protecting. Any infrastructure device, such as a router or communication device, or any document you have on the system, is going to be vulnerable," he said.
"We found the vulnerability before there have been any reported cases. But we would not know if there have been cases - and there is every possibility the victim would not know. That is the disturbing thing about this."
If systems were being breached there was a strong possibility the system's owner did not know the breaches were occurring, he said.
"The typical process is to use the vulnerability to get access and run an arbitrary code that opens a back door into the RADIUS, then get out and cover your tracks," he said.
"The owner may not be aware there is a back door."
The problem could be complex and costly to detect, and could require rebuilding hundreds of servers from scratch, he said.
Patches are available from ftp://ftp.merit.edu/radius/releases/ or ftp://ftp.vergenet.net/pub/lucent_radius/.
This report appears on australianIT.com.au.