The same technology that makes it easy for organizations to run any network operating system on their bare-metal switches also can be a gateway that allows cyber-criminals to get malware into their software-defined networking environments, according to a security expert.
Gregory Pickett, founder of Hellfire Security, was scheduled to speak Aug. 6 at the Black Hat USA 2015 conference in Las Vegas about the vulnerability of switches that use Open Network Install Environment (ONIE), which is Linux-based open-source software that runs on a white box switch and enables users to run and switch network OSes without having to replace the hardware.
It’s a key enabler of software-defined networking (SDN) and network-functions virtualization (NFV) environments, and is used by a range of network OS makers on various white-box and branded open switches.
“The problem is, if this gets compromised, it also makes it possible for hackers to install malware on the switch,” Pickett wrote in an overview of the address he will be making at Black Hat. “Malware that can manipulate it and your network, and keep doing it long after a Network Operating Systems is installed.”
At the show, he also said he would demonstrate a drive-by Web attack that “is able to pivot through a Windows management station to reach the isolated control plane network, and infect one of these ONIE-based switches with malware … that’s there even after a refresh.”
In addition, Pickett said he will talk about steps that can be taken to deal with the problems to protect the network from becoming infected with persistent firmware-level malware.
SDN and NFV are designed to enable the creation of more programmable, agile and scalable networks by putting the control plane and networking tasks—that traditionally have been housed in complex and expensive networking gear—into software that can be run on less complex and more affordable commodity servers. Technologies like ONIE and the OpenDaylight Project’s solutions are important parts of the network virtualization scenario.
However, putting more of these network functions into software also opens them up to vulnerabilities and hacker attacks, putting the network at risk.
“With no secure boot, no encryption, no authentication, predictable HTTP/TFTP waterfalls, and exposed post-installation partition, ONIE is very susceptible to compromise,” he wrote. “And with Network Operating Systems such as Switch Light [from Big Switch Networks], Cumulus Linux and Mellanox-OS via their agents Indigo and eSwitchd not exactly putting up a fight with problems like no authentication, no encryption, poor encryption, and insufficient isolation, this is a real possibility.”
Officials with both Cumulus Networks and Big Switch said that they had discussed the issue with Pickett in the weeks before the presentation. Nolan Leake, co-founder and CTO at Cumulus, wrote in a post on the company blog that Cumulus last week patched a security bug in Cumulus Linux, but said the “much more serious issue” of how firmware in all network switches can be exploited is one that touches upon both proprietary and open hardware, and is similar to one already found in servers and PCs.
“The vulnerability is not specific to software-defined or open networking,” Leake wrote, adding that he believes Pickett chose to demonstrate the issue on ONIE because it’s open and easier to conduct research on. “This same exploitability has been known about in servers, laptops and PCs for years (and in some cases mitigated with technologies like Trusted Platform Modules), but its application to networking devices is new.”
In a post on the Big Switch blog, CTO Rob Sherwood and co-founder Kyle Forster echoed Leake’s comments that such vulnerabilities are present in servers and proprietary network switches, and noted that the networking industry is working on trusted hardware-based solutions.
“We’re working towards a hardened version of ONIE to be used in the same environments as secure PXE [Preboot Execution Environment, used with servers] in the future,” Sherwood and Forster wrote. “Using already built-in trusted hardware, like the popular TPM [Trusted Platform Module] chips, the hardware would verify that ONIE and the network operating system match cryptographically signed signatures, i.e., that they have not been compromised.”
They also noted that Big Switch customers usually keep their switches physically apart from the Internet and the rest of the data center for increased isolation and security.
“The purposeful simplicity and physical separation of these management networks running PXE and ONIE traffic typically lend a level of security via good practice rather than additional software,” Sherwood and Forster wrote.