Slashdot Mirror

← Back to Stories (view on slashdot.org)

OpenBSD Vulnerabilty

Posted by timothy on from the pretty-damn-obscure dept.

*no comment* writes "Normally vulnerability reports on slashdot wouldn't make it because there are so many. This one however is for the normally very secure OpenBSD. Someone can crash an OpenBSD bridge using a newly discovered ICMP exploit. More can be read here. This shouldn't affect most people as this only affects people that use OBSD as a bridge."

11 of 55 comments (clear)

  1. Still not really news by pilybaby · · Score: 4, Interesting

    Normally vulnerability reports on slashdot wouldn't make it because there are so many

    This might be unusual but it's really not that big a news. I suppose it shows that even the best are not infallible. Nice to see it's already been patched =).

  2. Re:Can't get to openbsd.org by gatorade123 · · Score: 5, Informative

    The quote is "Only one remote hole in the default install, in more than 8 years!"

    This exploit is only possible when you have bridging configured, which is not part of a default install, nor most common installations.

  3. Re:Can't get to openbsd.org by 0racle · · Score: 4, Informative

    This is a crash not an exploit, the OpenBSD team uses a very precise definition for that claim. They also seem to handle a crash that does not lead to an exploit in a more crass and off hand manner, but thats another story.

    --
    "I use a Mac because I'm just better than you are."
  4. Re:Are you kidding me? by Mark_MF-WN · · Score: 3, Informative

    It's only a big deal with Microsoft because the vulnerabilities in Microsoft software are typically quite severe and affect almost everyone.

  5. OpenBSD ICMP vulnerability obviously bogus by SlashCrunchPop · · Score: 4, Funny
    11:55:01 <Theo> For the last time, there is no ICMP vulnerability, period!!!
    11:55:08 <Niels> OK, man, whatever you say. So who submitted the bug report in the first place?
    11:56:23 <Theo> Who cares? It's B-O-G-U-S! Now leave me alone, can't you see I'm busy?! 11:56:29 <Niels> Jeez, would it kill you to give me the details on this alleged bug?
    11:59:51 <Niels> Theo? Are you there, man?
    ^An
    citi:~> ping -P "out ipsec ah/transport/10.0.1.1-10.0.2.2/use esp/tunnel/10.0.1.1-10.0.1.2/require" 10.0.2.2
    PING zeus.theos.com (10.0.2.2): 56 data bytes
    ^C
    --- 10.0.2.2 ping statistics ---
    3 packets transmitted, 0 packets received, 100% packet loss
    citi:~>
    ^Ap
    12:00:00 *** Signoff: Theo (Read error: EOF from client)
    /.
    ^^ typed in shock in an attempt to do a /whowas Theo
  6. Re:Why'zit a 'Reliability' fix, not a 'Security' f by shiftyphil · · Score: 5, Informative

    Because the worst you can do with it is crash the system, not gain access.

  7. Re:Can't get to openbsd.org by Anonymous Coward · · Score: 3, Informative

    Isn't not even an exploit, I mean, come'on people, get a clue here. There's a huge difference between a DoS and an Exploit. This does nothing, even if someone, somehow knew there was a bridge.

  8. Re:Can't get to openbsd.org by Anonymous Coward · · Score: 5, Informative

    You have to have a bridge setup *AND* enable the special IPsec processing support on the bridge which means *very few* people would be affected by this issue.

  9. Re:Are you kidding me? by Mark_MF-WN · · Score: 3, Insightful
    I didn't realize that you were "most people". You think just because YOU haven't been affected by Microsoft vulnerabilities, that most other Windows users haven't been as well? That's an invalid generalization if there ever was one.


    Slashdot is anti-microsoft for a reason -- Microsoft software is technologically inferior. It has way too many severe vulnerabilities. Without a firewall, a fresh Windows 2000 installation will have a worm within a minute of connecting to the internet. And that's without ever opening a single application. No other operating system EVER MADE can compare to that.


    No matter what fantasy world you live in, you cannot argue that Windows is not horrifically insecure.

  10. Re:Are you kidding me? by Lars+T. · · Score: 4, Insightful
    Funny, I haven't been affected by even one microsoft vulnerability.

    You may actually think so, but you probably have. Had to wait for a product you ordered because a company involved in making or shipping it was hit by a mail worm? Had a slower internet "experience" because of Blaster? Get more Spam via distributed Spam relays installed by a worm? And I'm not even counting things like not being able to get cash at the ATM because it BSODed because that's not a vulnerability.

    --

    Lars T.

    To the guy who modded me down from perfect to terrible Karma - Apple haters still suck

  11. Re:Are you kidding me? by NutscrapeSucks · · Score: 4, Insightful

    > No other operating system EVER MADE can compare to that.

    Except RedHat Linux 5.x and 6.x.

    The RH releases from the same era as W2K had dozens of remote holes in the install and had serveral worms targetting them, a long with lots of script kiddie activity. A study showed that an unpatched RedHat box would be owned in in a mean time of less than 5 minutes. Someone even made t-shirts that said "My other computer is your Linux box."

    (However, like Win2000, a RH box could be secured by a competant administrator.)

    Trying to judge technological inferiority by bug counts is inane, especially because Unix/Linux doesn't really have a significantly better record than Microsoft. (Compare the record of IIS6 versus Apache over the last year or so, for example...) So I would rephrase your statement: Slashdot is anti-microsoft for a reason -- Slashdot believes their shit don't stink

    --
    Whenever I hear the word 'Innovation', I reach for my pistol.