Heads-up on security aspects of looking-glass deployments

Hi all,
we recently performed a broad-scope security review of some commonly
deployed open-source looking-glass software, and we discovered
several bugs and misconfigurations which you may want to check if
concerning your infrastructure.

Firstly, affected software and issues are as follow:
* mrlg4php
   - CVE-2014-3927: Remote command injection to router's console via "argument" parameter
* cougar-lg
   - CVE-2014-3926: XSS in <title> via "addr" parameter
   - CVE-2014-3928: Unsafe configuration file path/ACL
   - CVE-2014-3929: Unsafe SSH keypairs path in default config
* cistron-lg
   - CVE-2014-3930: Unsafe configuration file path/ACL
* mrlg
   - CVE-2014-3931: Remote memory corruption in fastping (SUID binary)

Some of these bugs (in particular 3927, 3928, 3929, 3930) may directly
or indirectly result in exposed IPs, usernames, passwords,
SSH private keys and remote command injection to router's console.
Depending on the specific infrastructure setup, this may translate
into an attacker having live access to routers CLI.

During the study, we detected around 45 incidents somehow related
to above bugs, which we have already reported to concerned NOC
contacts, whois contacts and national FSIRTs for further handling.
Advanced private disclosure to concerned entities was performed
on 06/02.

For specific details, full advisories are available for each issue:
* http://www.s3.eurecom.fr/cve/CVE-2014-3926.txt
* http://www.s3.eurecom.fr/cve/CVE-2014-3927.txt
* http://www.s3.eurecom.fr/cve/CVE-2014-3928.txt
* http://www.s3.eurecom.fr/cve/CVE-2014-3929.txt
* http://www.s3.eurecom.fr/cve/CVE-2014-3930.txt
* http://www.s3.eurecom.fr/cve/CVE-2014-3931.txt

Apart from one case where the author is unreachable and one that
as been marked as "wontfix", all the issues have been fixed by
software authors. Incidents related to misconfigurations have been
handled on a case-by-case basis, and no disclosure-delaying cases
exist at this time (to the best of our knowledge).

If you have any specific questions on the topic, feel free to ask
either here on NANOG or by reaching me in private.

Luca & Mariano