Comments on: Holes in Embedded Devices: IP-based session management

By: Adrian Pastor

Adrian Pastor — Wed, 30 Jan 2008 10:28:52 +0000

@Antrix - yes, you’re right: the VPN-1 Edge vuln is old. That’s why I said “Early versions of Checkpoint VPN-1 Edge”.

I just mentioned VPN-1 Edge vuln as a real example. This post is NOT an advisory of a new vulenrability, but rather an explanation of IP address-based session management vulnerabilities.

Thanks for your feedback everyone!

By: Antrix

Antrix — Wed, 30 Jan 2008 08:12:08 +0000

Ohhhh, this is old …. They fixed it quite a while ago.

By: Adrian Pastor

Adrian Pastor — Tue, 29 Jan 2008 20:56:22 +0000

@C4 - you’re right. This type of attack could be launched against a basic router as well. Any embedded device could be affected by this vulnerability. Of course, provided that its administrative web interface solely trusts the admin’s source IP for authentication purposes.

I wrote this post with any type of embedded devices in mind. i.e.: cameras, printers, VoIP phones, firewalls, routers, switches, etc …

By: C4

C4 — Tue, 29 Jan 2008 14:57:34 +0000

This could be used on any basic router as well, as long as the you can do it before the admin session TTL times out?

By: Adrian Pastor

Adrian Pastor — Tue, 29 Jan 2008 14:29:57 +0000

OK, trusting source IP addresses for authentication purposes on embedded devices is pretty bad, but doing the same thing on credit card transaction environments is just insane!

By: ntp

ntp — Tue, 29 Jan 2008 12:12:47 +0000

http://ha.ckers.org/blog/20070.....s-and-you/

By: Holes in Embedded Devices: Binary state session management | GNUCITIZEN

Holes in Embedded Devices: Binary state session management | GNUCITIZEN — Tue, 29 Jan 2008 09:52:26 +0000

[...] is similar to IP address-based session management holes which has been discussed in my previous post. It is similar in the sense that the web browser of the admin user who is currently logged into the [...]