Slashdot Mirror
Remote Exploit Discovered for OpenBSD
An anonymous reader writes "OpenBSD is known for its security policies, and for its boast of "only one remote exploit in over 10 years". Well, make that two, because Core Security has found a remotely exploitable buffer overflow in the OpenBSD kernel. Upgrade your firewalls as soon as possible."
Well done. It's not an easy feat to create an OS with so little exploits. The team and Microsoft should take a leaf out of your book.
Hiya, Fyodor.
Why is your sig not a sig?
I think you're reading too much into things. It's FAR more likely that the OBSD team has become somewhat overconfidenct in there code. As such, since remote exploit wasn't shown and was unlikely, they dismissed that.
But, cover up? Yah right. Please, note that the OBSD team NEVER denied that a problem existed. They fixed it. It was only the wording that was in contest until remote execution was shown and they verified it.
I'll spot them some skepticism or overconfidence. It's been proven again and again that they're right to think OpenBSD is a hard target, so it's understandable that they wanted to see proof before bumping their counter up.
:-)
As for a "cover up"... well, if such a thing happend I'd say they must really suck at coverups, since we all know about it.
With reasonable men I will reason; with humane men I will plead; but to tyrants I will give no quarter. -- William Lloyd
..uses IPv6? That's the first thing I turn off on every OS I've ever set up for a client (at least, ones where I can recompile the kernel).
This is about as interesting as finding a hole in Gopher. (Except, well, Gopher is something from the past, and IPv6 is perpetually in the future [any day now, we'll all switch!]).
> Availability is a key facet of security. There's no fuckin' point having a "secure" system which you can't even use.
Sure there is. Think, for example, of a data warehouse containing social security numbers. Would you prefer that that system go down entirely, or that the contents of the database is exposed. A system that detects trouble and shuts itself down until someone fixes it sounds good to me.
Also, by your standards, a power failure is a security hole. That's just not true.
My other car is first.
Not in this case. This was a bug in the IPv6 code, which comes from the KAME project. The BSD TCP/IP stack used by some versions of Windows comes from the 4BSD series, pre-dating KAME (and IPv6 in general) by quite some years.
I am TheRaven on Soylent News
I really like OpenBSD, but I really miss having an analogue of FreeBSD's portaudit utility. Since the source data used by portaudit provides OpenBSD and FreeBSD vulnerability info, I wonder if anyone has tried porting it...
I am TheRaven on Soylent News
Also, by your standards, a power failure is a security hole. That's just not true.
Tell that to anyone who has an alarm system without a battery backup...
FTFA:
Kudos to Core Security for finding an exploit in OpenBSD code. Seriously, that's impressive. However, it sounds like they're a little too pleased with themselves. "Forced release"? I guess that's technically true, in the sense that a feather exerts a gravitational force on the Earth.
In a nutshell, they reported a problem and OpenBSD fixed it. Then they demonstrated that it was a more serious problem, and OpenBSD backported the fix to the current releases and announced it on their website. After reading the whole timeline, I'm not sure what else they were supposed to have done so that Core wouldn't be "forced" to announce the vulnerability that OpenBSD publicized on their own site as a "security fix" three days earlier.
Dewey, what part of this looks like authorities should be involved?
The argument that the OS is more secure would carry a bit more weight if the OpenBSD team didn't blatantly try to deny that this was a vulnerability as the release states. If you buy the release, Core made them look pretty bad, as if they just dismissed the disclosure effectively saying "we don't think that's a problem". When they did that, Core dropped it right on them, then they reacted. If the team were as security conscious as you claim, they wouldn't have simply dismissed it and would have given the issue more serious consideration. I've always thought of the BSDs (Net and Open anyway) as a smaller attack vector, nothing inherently more secure. They don't have a monopoly on smart developers and all humans make mistakes.
First, there has to be a lot of low-level code just to be able to boot most modern computers. Any high-level, non-native language (Python, Perl, C#, etc) need to have an OS to run their VM. Anything low-level, such as disk access, memory management, process management, etc, requires more-or-less direct access to the hardware. This means assembly, in many cases.
.Net framework, and most other popular languages. And it's easier to take advantage of a Perl or Python or .Net exploit when you find them, as you don't need intimate knowledge of the underlying architecture.
Fully-native object oriented languages like Objective-C are no better than C for security. In fact, they bring their own set of baggage with them. Hybrid ("half-assed") object languages like C++ are worst of all, as they unite the simplicity of Brainfuck with the inherent security of C and the speed of Perl. (Drawbacks of C++ exaggerated for comic effect. If you are a C++ weenie, please don't take offense.)
When it comes down to it, for general-purpose operating systems, there's not been found a better way than the combination of ASM + C.
I think the issue is, where does the OS stop and the application space begin?
Does the whole TCP/IP stack *need* to be written in C? Probably not. Considering the amount of use it gets, it's probably a great place to optimize for performance, though, so writing it in C helps.
And I'm not convinced the problem is the language. The OpenBSD folks have written a good, solid OS in C, with very few exploits. I've seen exploits in Perl, Python, C#, the
As usual, the debate is not as simple as, "C bad, everything else good."
Anyway, that's my rant, and I'm sticking to it.
Microsoft is to software what Budweiser is to beer.
Well, the Linux kernel doesn't have a default install... But most distros did enable smbfs by default.
Son, are you high? Since when were you in charge of what OpenBSD is SUPPOSED to do and not do? Last I checked, that was Theo de Raadt's job, and noone else's.
If the developers look at something and think it's a potential security risk, they mark it as such and it comes as a security patch. Look through their history, they've done it several times when they haven't even looked to make an exploit, they just think it's possible, so it's marked as security.
On the other hand, if they do not see the risk, they mark it as reliability unless someone, it doesn't matter who, shows them otherwise.
When has it ever been declared OpenBSD's responsibility to treat anything and everything as the end of the world?
They never used to treat everything as a hole in the system, they treated things as what they assessed them to be, just like everyone else does.
Given a pass? This is a bug that can only be exploited under rare cases and it had been very doubtful that it could be exploited at all until Core showed it to them. Cannot slack? These people are doing a significantly better job keeping their system safe than any other system, if anything, these people are getting pressured far more than they should be. They are human last I checked, except for Bob Beck who is actually 1/4 Moose on his dad's side.
Their entire reason for being is making a system they want to use, that will never evaporate. And you can go fuck yourself for all they care, they don't even want you using their work, they're letting you have it because they see no need to make you write your own code. You're just being an ingrateful little child, complaining about nothing, because you want everything.
"The OpenBSD team is SUPPOSED to assume the worst case when no facts are known."
/everyone/ else, deny deny deny,"
...and announced it on THE FRONT OF THEIR HOME PAGE FOR ALL TO SEE. From openbsd.org:
That's absurd. No facts and it's immediately considered an exploit on vetted code?
I'm not sure where you learned this ideology. I've used OBSD for 8 years and they never do this unless it's blatently clear.
And you know what? Mayve they did consider it and didn't see the issue; it took CORE itself 1 week minimum to deliver PoC, showing this was not a readily seen | trivial exploit, not to mention a couple days, not the usual hours, for OBSD to come up with a fix. iow, the fact it wasn't seen in the first place lends some evidence that this wasn't a readily seen problem.
"They are supposed to investigate EVERY bug as being a potential exploit."
No, they fix known bugs first, which stamps out most issues. Which they did here. Then they learned it was more and fixed the issue within 2 days, maybe less depending on what hours the mentioned communications were actually made.
YOU do understand that CORE seems to have given them partial info? PoC was not given for over a week. You also don't know, seeing the info is only one side of the tale, whether someone was still looking into things on OBSD's end and CORE simply came up with the PoC first.
"At least they used to."
You clearly don't use OBSD and haven't for years, so quit pretending you know how they work and being some basis of how they used to work, because your impression is false; they've never had the attitude you give them. They fix bugs first and write secure code from the get-go with a pretty small team and resources. They don't go doomsday on every bug revealed or write exploits as a matter of course.
"Now they are like
Where did they deny? They questioned, had their own arguments, didn't see the proble, saw their misyake, and immediately fixed and bacported it...
" till they get egg shoved in their face."
"Only two remote holes in the default install, in more than 10 years!"
"And in fact it may be this type of internal behavior that has led to the existance of this bug in the first place. Rather than giving them a pass, they should be crucified for this. They need to be reminded that they cannot go slack or their entire reason for being will evaporate."
Seems pretty clear to me you're on OpenBSD hater and non-user.
Crucified for 2 errors in a decade, one being in IPv6 code whe most of the world is IPv4?
Their entire reason will evaporate, when most of the developers want to write good, secure code, come up with secure solutions, with security in an OS as part of the emphasis, the other being open source for all to use and open documentation?
Frankly, you're a damn, misinformed, assuming nut.