New software holes could expose networking equipment from Ascend Communications (ASND) to malicious attacks, including possible crashes and password interceptions, according to a network security firm.
A hacker could send a "denial-of-service" software exploit to Ascend Pipeline or MAX equipment and cause the remote access and routing hardware to fail, according to Secure Networks. A second vulnerability could expose such sensitive information as network passwords and remote dial-in numbers to hackers using a hole in Ascend's implementation of a management protocol known as SNMP, for Simple Network Management Protocol, the firm said.
A spokesman for Ascend said the security issues have been addressed and questioned the motives of Secure Networks (SNI), a firm that tests for holes in systems and sells auditing security software to help fix problems at the same time.
"What was not a widely known security issue is now a widely known problem that hackers can take advantage of," Eric Warren, of Ascend, noted. "It's not like SNI is a customer who is having a problem. It's in their best interests for the security flaw not to be resolved because they might sell more software."
"We respect the need to make people aware of security issues and we responded as fast as we could to their press release," Warren continued. "But if you have a commercial motive you can't be doing it for the good of the world."
The company has posted a bulletin to its Web site on how to configure a packet filter to alleviate the problems.
Employees at SNI disputed the notion that they release advisories in the name of selling software. "We take responsible disclosure of security problems very, very seriously, and are somewhat concerned that our efforts to release information professionally and effectively are being questioned by Ascend," said Tom Ptacek, a developer for SNI.
Ascend equipment has a large presence in most Internet service providers, a fact that could lead to outages on the Net if the vulnerabilities are widely exploited.
The first hole allows a malicious party to send a specialized packet which essentially causes Ascend's equipment to lock up and crash, according to Alfred Huger, project manager for Secure Networks. The vulnerability comes up occasionally in network-based software, with some of the more famous exploits in recent months targeting Microsoft's Windows NT operating system.
More significant is the second SNMP-based breach that could allow someone to gain access to the configuration information on an Ascend router and use the equipment as a type of network "sniffer," gaining access to privileged password and dial-in information, according to Huger.
"It's one of the worst router vulnerabilities I've ever seen," said Huger, who added that routing equipment from the likes of Bay Networks and Cisco Systems are not vulnerable. "They certainly might have other problems, but they don't have this problem."
At risk is Ascend equipment running variants of version 5.0 of the company's operating system for the MAX and Pipeline products.
In a prepared statement, Ascend cautioned that appropriate security policy could overcome the holes found by the security firm: "Ascend believes that all routers are inherently vulnerable when default configurations are left in place and when enhanced security features are not implemented. Ascend remains committed to providing a secure network environment for its products and its valuable customers."
To secure Ascend equipment, users can filter packets to check for wayward denial-of-service code. The SNMP issue could require users to adjust their administrative menus so that default settings cannot easily be guessed. Another option, according to Huger, is to turn off the use of SNMP, a widely used specification for collecting data on network traffic and other management information.
Huger said Ascend was advised of the problems with its equipment on February 4, but once Secure Networks did not hear a response, the firm disseminated a security advisory to various groups on the Net.
Ascend disputed the notion that they were not quick to respond. "If the assertion is we were notified about a problem and didn't do anything about it, that's not true," Warren said.