White hat finds vulnerability in white box switches

You put the badware in the firmware and you shake it all about

Black Hat 2015 The Open Networking Install Environment (ONIE) provides a gateway for black hats to compromise software-defined network (SDN) environments, says a white hat presenter at this week's BlackHat USA 2015.

The problem, according to Hellfire Security's Gregory Pickett, is that it's too easy for an attacker with root access to the switch to become Your Evil SDN Overlord™.

In the synopsis of his address to BlackHat, Pickett says:

The Open Network Install Environment, or ONIE, makes commodity or WhiteBox Ethernet possible. By placing a common, Linux-based, install environment onto the firmware of the switch, customers can deploy the Network Operating Systems of their choice onto the switch and do so whenever they like without replacing the hardware. The problem is, if this gets compromised, it also makes it possible for hackers to install malware onto the switch. Malware that can manipulate it and your network, and keep doing it long after a Network Operating System reinstall.

ONIE is a bootloader for white box switches. Since it's explicitly designed to let SDN admins install the network operating system of their choice on the target, it's probably unsurprising that the same sysadmin could install badware if they chose, but Pickett reckons the problem goes beyond that.

“With no secure boot, no encryption, no authentication, predictable HTTP/TFTP waterfalls, and exposed post-installation partition, ONIE is very susceptible to compromise. And with Network Operating Systems such as Switch Light, Cumulus Linux, and Mellanox-OS via their agents Indigo and eSwitchd not exactly putting up a fight with problems like no authentication, no encryption, poor encryption, and insufficient isolation, this is a real possibility”, his BlackHat synopsis states.

Of course, if the compromise is in the firmware, re-installing the network operating system over the top of it won't remove the malware.

Cumulus Networks has posted a response to the contact it received from Pickett, pointing out that installing a compromised operating system on top of bare metal isn't a problem confined to the switch market.

While applying this kind of exploit to networking devices is new, the company writes, “This same exploitability has been known about in servers, laptops and PCs for years”, with responses like Trusted Platform Modules, and an firmware attack such as Pickett described would also apply to proprietary hardware – if someone worked out the secrets of (say) a Cisco switch.

ONIE is, the Cumulus post points out, a far easier target to test such hacks on since it's an open platform.

Separately, Cumulus has also patched a sudo vulnerability that Pickett brought to its attention.

Big Switch Networks told LightReading exploitability is low because an attacker would need physical access to switches that operators usually keep locked away.

However, it's likely that the SDN world is going to look hard at this. ®

Similar topics

Other stories you might like

Biting the hand that feeds IT © 1998–2021