Could someone place a rootkit on an internal network through a router?

Could someone place a rootkit on an internal network through a router?

Tags:   Cisco  DMZ  TFTP  UDP

By Joel Dubin, past SearchSecurity.com expert | May 18, 2009

Thumbnail: 

Is it possible to gain access to the internal network under the following circumstances: A Cisco Internet border router has TFTP running without SSH, and a bad guy gets the credentials and owns the router, then uploads a new configuration opening ports up for communication. Would the only possible attack be a denial of service, or could a rootkit be placed on the internal network?

EXPERT RESPONSE

Without knowing how the internal network is protected by a DMZ, it would be difficult to say how easy it would be to breach. But this situation, on the surface, sounds quite insecure.

TFTP is an insecure protocol, used mostly for transferring configuration files between routers in a network; it's insecure because it transmits data unencrypted in clear text, doesn't require authentication and is based on UDP. The first two issues are the most critical from a security perspective. If the configuration files are transmitted unencrypted, they can be intercepted, read and manipulated. If they're transmitted without authentication, anybody can access them.

So why would anybody use TFTP? TFTP sits on servers that are accessed by Cisco Systems Inc. routers for updating their configuration files. Some networks still need to run it for backwards compatibility with older network hardware. However, it should be replaced with SSH, which encrypts its traffic and requires authentication.

Again, without knowing if the internal network is protected by a DMZ, it would be hard to tell if compromising the border router would compromise the entire network. Either way, compromising any router with access to the network doesn't bode well for the security of the organization. For instance, if someone controlled access to the routers in the system, and was able to change the configuration files through manipulation of a weak TFTP server, he or she could gain access deep into the network. A denial-of-service (DoS) attack is only one possibility; an attacker could unleash a whole range of malware, including keystroke loggers to obtain account credentials.

Also, if the routers on the network were compromised, the attacker would then have the necessary access to control the servers or hosts on the network, as well. And with server access, installing a rootkit into the operating system would be no problem.

Similar

Related Articles

Add comment

Post a Comment

The content of this field is kept private and will not be shown publicly.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd> <a> <p> <span> <div> <h1> <h2> <h3> <h4> <h5> <h6> <img> <img /> <map> <area> <hr> <br> <br /> <ul> <ol> <li> <dl> <dt> <dd> <table> <tr> <td> <em> <b> <u> <i> <strong> <font> <del> <ins> <sub> <sup> <quote> <blockquote> <pre> <address> <code> <cite> <embed> <object> <strike> <caption>
  • Lines and paragraphs break automatically.
  • Use <!--pagebreak--> to create page breaks.

More information about formatting options

 

Comments

Similar

Related Articles

knowledge_central_tab

 
 
Knowledge Central
Today's top security priorities
Attacks based on vulnerabilities in websites are skyrocketing, and not many solutions are available to protect organizations against them. How do you deal with this and other key security issues today?
Taking a holistic business-centric approach to security
Today’s CIOs face multiple challenges, including the need to innovate in an extremely competitive business climate, address highly dynamic regulatory and compliance challenges, speed ROI to counter shrinking IT budgets, and secure their organizations against a wide barrage of sophisticated threats.
 
 
 
UTM product offers Logansport Savings Bank superior protection
Astaro Security Gateway’s IPS was able to block attacks that other intrusion prevention systems (IPS) missed at Logansport Savings Bank.
Hong Leong Financial opts for Juniper Networks at new Malaysia head office, data center
Hong Leong Financial Group Berhad builds complete and seamless data center and office network infrastructure with Juniper switches, security devices and Junos software.
 
 
 

Recent popular content

Most Read
WhiteHat Security reveals top 10 Web hacking techniques
Top 10 tips for protecting sensitive data from malicious insiders
Today's top security priorities
Rustock botnet increases spam traffic
UTM product offers Logansport Savings Bank superior protection

Site map
Search Security Asia
About Us
Print/Digital Subscription
Sales
Feedback
Security Tips
Expert Opinions
Research
White Papers
Case Studies

Blogs
Topics
Application security
Disaster recovery and business continuity
Identity management and access control
Information security careers, training and certifications
Topics
Network and Internet Security
Security best practices
Security threats
Surveillance and facilities management
Media
Videos
Podcasts
Webcasts
News
RSS