Slashdot Mirror

← Back to Stories (view on slashdot.org)

Remote Malware Injection Via Flaw In Network Card

Posted by timothy on from the just-where-you-least-expect-it dept.

kfz-versicherung writes "During the CanSecWest international conference in Vancouver, members of ANSSI described how an attacker could be able to exploit a flaw to run arbitrary code inside some network controllers (full presentation; PDF). The attack uses routable packets delivered to the victim's NIC. Consequently, multiple attacks can be conducted including man-in-the-middle attacks on network connections, access to cryptographic keys on the host platform, or malware injection on the victim's computer host platform."

10 of 49 comments (clear)

  1. For a little piece of mind by trifish · · Score: 5, Informative

    If you dig into TFA, you'll find this:

    "However, the attack presented only applies to a specific network card model (Broadcom NetXtreme) whenever a remote administration functionality (called ASF for Alert Standard Format 2.0) is turned on (it is off by default) and configured. According to vendors, this functionality is far from being widely used. As a consequence, this vulnerability is really likely to have a very limited impact in practice."

    1. Re:For a little piece of mind by MichaelSmith · · Score: 3, Interesting

      Okay but will the UDP packets which cause the problem be well formed enough to be routed into your network from outside? In most cases if you have access to the local network all systems are vulnerable anyway.

      --
      http://michaelsmith.id.au
    2. Re:For a little piece of mind by WrongSizeGlass · · Score: 3, Funny

      3. Is there a proof of concept?

      Yes. A proof of concept attack has been demoed during the CanSecWest conference. It showed how an attacker can remotely shutdown or wake up his victim’s machine, and fully compromise a COTS operating system machine (Linux for the demo, but all operating systems are vulnerable).

      Hey, at least it's Linux compatible!

    3. Re:For a little piece of mind by jd2112 · · Score: 5, Informative

      However, the attack presented only applies to a specific network card model (Broadcom NetXtreme)

      Which happens to be the most popular network interface chipset used by Dell, HP, and many other manufacturers...

      --
      Any insufficiently advanced magic is indistinguishable from technology.
  2. Not a big surprise by faloi · · Score: 4, Insightful

    A lot of IPMI and ASF code is an open door into at least some portion of the overall system. As NICs become more and more "intelligent," there's going to be more opportunities to exploit the NIC architecture and any subtle flaws because of the communication path into the system itself. Couple that with a rush to get stuff out the door faster and cheaper...and more of these issues will crop up.

    --
    "It is a miracle that curiosity survives formal education." -Albert Einstein
  3. This points out a simple problem by erroneus · · Score: 5, Insightful

    As devices become more and more complex, device functions that were once embedded within a chip are now being implemented by embedded computer systems which are tiny processors, ROM and RAM. And these devices interface with our computers through Direct Memory Access in some form or another and they get access to our computer's memory. If you think it is getting harder to find a virus in a running Windows installation, try finding one in your network cards or other devices.

    While the "article" (it's a frikken PDF) says that this has been tested by invading a network card through a normally disabled management interface, what about other means of infection?

    What I am saying is this: Once malware gets into the computer, all other devices are increasingly at risk of being a target for being compromised to enable secondary infections even after the hard drive is wiped out... even after the hard drive is replaced. Get some malware stuck inside your system board's controllers and you are either trying to figure out how to reflash every chip on that board, or you're buying a new board.

  4. ASF hero by juventasone · · Score: 4, Informative

    Since none of our clients use ASF, I have manually disabled it on every build I've done. Contrary to the article, many have it enabled by default. Why did I bother? I am a minimalist. I figured having an unused feature enabled could only potentially introduce problems.

  5. only unpatched Broadcom NetXtreme w/ circumstances by electrogeist · · Score: 3, Informative
    The summery left that out.

    4. How can I find out if my machine is vulnerable?

    Any computer using Broadcom NetXtreme chips with ASF activated and configured is vulnerable. Users of such computers should apply the official patches (see 6). Other vendor cards and other cards models are not impacted by this vulnerability. Machines using Broadcom NetXtreme chips when ASF has never been configured (Requires to launch the Broadcom ASF configuration tool) are not vulnerable but patching is highly recommended.

    5. How can I protect my computers from such an attack?

    If your computer is vulnerable to this attack you can either (in order of preference):

    • 1. apply the vendor patch (see 6) ;
    • 2. deactivate ASF. This should be done using the Broadcom ASF Configuration tool and not by turning off ASF in the BIOS of the machine;
    • 3. configure all your network packet-filters to filter UDP ports used by ASF (623 and 664).

    Please note that some operating systems actually deactivate ASF at boot time. Some operating systems or hypervisors might also take advantage of hardware technologies such as Intel Vt-d and AMD I/OMMUs that would limit the impact of the attack.

  6. Re:+++ATH0 by erroneus · · Score: 5, Informative

    Love that comment! Too bad it was done anonymously, you deserve credit for the genius of its simplicity and clarity. "device vulnerabilities" have been around a long time. I used to make people on IRC lose their connections by sending specially crafted PING packets which would contain "+++ATH0" resulting in an immediate disconnection. I had one poor schmuck who patched and recompiled his Linux kernel like 6 or 7 times as he thought I was hacking his "computer" rather than exploiting his modem. His logs showed an ICMP coming from me followed by an interruption of his network link. He could have done one of two things: disable ping responses or changed a setting in his modem. It was hilariously funny watching the guy struggle though. Finally, I told him what I was doing..."Denwaugh"? Are you out there? Muhahaha! That comment brings back some memories...

    The real point here is that devices are more than bits of hardware -- they are little computers themselves with their own vulnerabilities. Our trust of devices is a problem that is rarely considered.

  7. Re:Limited to Broadcom only? by nxtw · · Score: 3, Informative

    I wonder how secure Realtek's stuff is; their drivers/software leave me to think that their hardware code is ripe for discovery...

    Realtek hardware generally does not have the advanced hardware features found in the fancier Intel e1000(e) and Broadcom tg3.