OpenBSD Vulnerabilty

*no comment* writes "Normally vulnerability reports on slashdot wouldn't make it because there are so many. This one however is for the normally very secure OpenBSD. Someone can crash an OpenBSD bridge using a newly discovered ICMP exploit. More can be read here. This shouldn't affect most people as this only affects people that use OBSD as a bridge."

Can't get to openbsd.org

[dtfinch]

slashdotted already?

Obligatory "No remote exploits in 0 days."

Re:Can't get to openbsd.org

[gatorade123]

The quote is "Only one remote hole in the default install, in more than 8 years!"

This exploit is only possible when you have bridging configured, which is not part of a default install, nor most common installations.

Re:Can't get to openbsd.org

[0racle]

This is a crash not an exploit, the OpenBSD team uses a very precise definition for that claim. They also seem to handle a crash that does not lead to an exploit in a more crass and off hand manner, but thats another story.

Re:Can't get to openbsd.org

Isn't not even an exploit, I mean, come'on people, get a clue here. There's a huge difference between a DoS and an Exploit. This does nothing, even if someone, somehow knew there was a bridge.

Re:Can't get to openbsd.org

You have to have a bridge setup *AND* enable the special IPsec processing support on the bridge which means *very few* people would be affected by this issue.

Re:Can't get to openbsd.org

You need to have more than just bridging configured - you need the link2 flag set on the bridge, which is only useful if you are bridging two networks via a VPN.

Still not really news

[pilybaby]

Normally vulnerability reports on slashdot wouldn't make it because there are so many

This might be unusual but it's really not that big a news. I suppose it shows that even the best are not infallible. Nice to see it's already been patched =).

Are you kidding me?

Normally vulnerability reports on slashdot wouldn't make it because there are so many.

That is, unless it's a vulnerability in Microsoft software.

Re:Are you kidding me?

[Mark_MF-WN]

It's only a big deal with Microsoft because the vulnerabilities in Microsoft software are typically quite severe and affect almost everyone.

Re:Are you kidding me?

[Mark_MF-WN]

I didn't realize that you were "most people". You think just because YOU haven't been affected by Microsoft vulnerabilities, that most other Windows users haven't been as well? That's an invalid generalization if there ever was one.

Slashdot is anti-microsoft for a reason -- Microsoft software is technologically inferior. It has way too many severe vulnerabilities. Without a firewall, a fresh Windows 2000 installation will have a worm within a minute of connecting to the internet. And that's without ever opening a single application. No other operating system EVER MADE can compare to that.

No matter what fantasy world you live in, you cannot argue that Windows is not horrifically insecure.

Re:Are you kidding me?

[javax]

"I haven't been affected by even one microsoft vulnerability"

Think this should be "I haven't yet noticed of being affected by even one"

Re:Are you kidding me?

[Lars+T.]

Funny, I haven't been affected by even one microsoft vulnerability.

You may actually think so, but you probably have. Had to wait for a product you ordered because a company involved in making or shipping it was hit by a mail worm? Had a slower internet "experience" because of Blaster? Get more Spam via distributed Spam relays installed by a worm? And I'm not even counting things like not being able to get cash at the ATM because it BSODed because that's not a vulnerability.

Re:Are you kidding me?

[merdark]

I didn't realize that you were "most people". You think just because YOU haven't been affected by Microsoft vulnerabilities, that most other Windows users haven't been as well? That's an invalid generalization if there ever was one.

Notice I never said that most windows users have not been affected by a vulnerability? Notice that I said *I* have never been affected? Not being affected has a lot to do with knowing how to secure computer systems and avoid installing suspect software.
I do not disagree that there are bad microsoft vulnerabilities that affect a ton of users. But, slashdot is still overly zealous in their reports on microsoft vulnerabilities.

Slashdot is anti-microsoft for a reason -- Microsoft software is technologically inferior.

Nope. Microsoft is not inferior at all. It is far more insecure, yes, but it's definatly not inferior. Part of why microsoft software is insecure is that it is far more complicated than other pieces of software. For instance, the recent run URI handler 'vulnerability' that slashdot jumped on. Mac OS X also has such functionality, and had similar vulnerabilites. Linux did not have similar vulnerabilites, because it does not have this functionality.

No other operating system EVER MADE can compare to that.

Keep in mind that no other operating system EVER MADE has had the reach or user base that Windows has either. No doubt people will learn from Microsoft's mistakes, just as Microsoft has. This is the way of the world.

Airplanes used to have very little security, and people would even smoke on them. Cars originally had no seat belts, and even when they did, wearing them was not mandatory for the longest time. Moterbike riders didn't used to wear, or have to wear, helments. These are all absurd things *now*, but at the time people did not realize it.

Operatining systems are no different. Before the internet, microsoft did not need to think of securing in the way they do now. They realized the importance of it too late, and are now in quite a bind.

I always find it funny that people on slashdot tend to have a holier than thou attitude instead of a "let's observe and learn" attitude. This is why slashdot's silly anti-microsoft slant annoys me so. Other sites report on windows problems without being so snide.

Re:Are you kidding me?

[NutscrapeSucks]

> No other operating system EVER MADE can compare to that.

Except RedHat Linux 5.x and 6.x.

The RH releases from the same era as W2K had dozens of remote holes in the install and had serveral worms targetting them, a long with lots of script kiddie activity. A study showed that an unpatched RedHat box would be owned in in a mean time of less than 5 minutes. Someone even made t-shirts that said "My other computer is your Linux box."

(However, like Win2000, a RH box could be secured by a competant administrator.)

Trying to judge technological inferiority by bug counts is inane, especially because Unix/Linux doesn't really have a significantly better record than Microsoft. (Compare the record of IIS6 versus Apache over the last year or so, for example...) So I would rephrase your statement: Slashdot is anti-microsoft for a reason -- Slashdot believes their shit don't stink

Re:Are you kidding me?

[j-turkey]

Airplanes used to have very little security, and people would even smoke on them. Cars originally had no seat belts, and even when they did, wearing them was not mandatory for the longest time. Moterbike riders didn't used to wear, or have to wear, helments. These are all absurd things *now*, but at the time people did not realize it.

I know that this is completely offtopic...but I find our seatbelt and helmet laws patently absurd. Your example here is poor, since your view is not universally accepted. It comes down to the argument of who owns your body -- you or the goverment. I choose to wear seatbelts and helmets. I believe that not using them is just plain dumb...but I neither want this forced on me, nor do I believe it should be forced on anyone else.

Why'zit a 'Reliability' fix, not a 'Security' fix?

Here:

http://openbsd.org/errata.html

"All architectures

016: RELIABILITY FIX: August 26, 2004

As reported by Vafa Izadinia bridge(4)
with IPsec processing enabled can be crashed
remotely by a single ICMP echo traversing the
bridge.

A source code patch exists which remedies this problem.

015: RELIABILITY FIX: August 25, 2004

Improved verification of ICMP errors
in order to minimize the impact of ICMP attacks
against TCP.

http://www.ietf.org/internet-drafts/draft-gont-i cm p-payload-00.txt

A source code patch exists which remedies this problem."

Nevertheless, I still like its excellent record
in security stat's... OpenBSD, here I come...

OpenBSD ICMP vulnerability obviously bogus

[SlashCrunchPop]

11:55:01 <Theo> For the last time, there is no ICMP vulnerability, period!!!
11:55:08 <Niels> OK, man, whatever you say. So who submitted the bug report in the first place?
11:56:23 <Theo> Who cares? It's B-O-G-U-S! Now leave me alone, can't you see I'm busy?! 11:56:29 <Niels> Jeez, would it kill you to give me the details on this alleged bug?
11:59:51 <Niels> Theo? Are you there, man?
^An

citi:~> ping -P "out ipsec ah/transport/10.0.1.1-10.0.2.2/use esp/tunnel/10.0.1.1-10.0.1.2/require" 10.0.2.2
PING zeus.theos.com (10.0.2.2): 56 data bytes
^C
--- 10.0.2.2 ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss
citi:~>

^Ap
12:00:00 *** Signoff: Theo (Read error: EOF from client)
/.
^^ typed in shock in an attempt to do a /whowas Theo

Re:Why'zit a 'Reliability' fix, not a 'Security' f

[shiftyphil]

Because the worst you can do with it is crash the system, not gain access.

Where are mod points when I need them?

[cipher+chort]

Clearly the parent has been in the security or networking business for more than a few years.

In fact, I recall when RH7.0 came out and was followed almost immediately by 7.1 because of so many remote holes. I've seen several friends have their Linux boxes rooted, and I'm moderator on a Linux forum where we get at least one person a week (some times one a day) asking how they can repair their system because it was cracked.

On the other hand, none of my OpenBSD boxes have ever been cracked... come to think of it, none of my Windows or Mac boxes ever have been, either.