Remote Exploit Discovered for OpenBSD

← Back to Stories (view on slashdot.org)

Remote Exploit Discovered for OpenBSD

Posted by samzenpus on Wednesday March 14, 2007 @05:13PM from the patch-it-up dept.

An anonymous reader writes "OpenBSD is known for its security policies, and for its boast of "only one remote exploit in over 10 years". Well, make that two, because Core Security has found a remotely exploitable buffer overflow in the OpenBSD kernel. Upgrade your firewalls as soon as possible."

12 of 338 comments (clear)

Min score:

Reason:

Sort:

Well done, the OpenBSD team. by Anonymous Coward · 2007-03-14 17:21 · Score: 5, Insightful

Well done. It's not an easy feat to create an OS with so little exploits. The team and Microsoft should take a leaf out of your book.
1. Re:Well done, the OpenBSD team. by Anonymous Coward · 2007-03-14 17:37 · Score: 4, Insightful
  
  You think the problem is that Microsoft can't create a secure OS? You don't think the problem is all the legacy crap, and the everything under the sun and everything to everyone demands placed upon it? Not that what OpenBSD has achieved as a track record isn't impressive. But serving one master (of one's own choosing) well, it not the same thing as being the most favored servent to the most masters.
2. Re:Well done, the OpenBSD team. by Kandenshi · 2007-03-14 17:38 · Score: 5, Insightful
  
  I heard a rumour that Microsoft did indeed look to the idea of emulating OpenBSD's security practices as a company.
  
  Then someone pointed out the respective revenues of OpenBSD vs Microsoft, and the whole idea just seemed to evaporate.
  
  Someone decided that people don't care enough about the number of remote exploits found in a given OS. They were probably right.
3. Re:Well done, the OpenBSD team. by drsmithy · 2007-03-14 18:35 · Score: 3, Insightful
  
  Well done. It's not an easy feat to create an OS with so little exploits. The team and Microsoft should take a leaf out of your book.
  It is when basically the only thing your OS does "in the default install" is allow SSH logins.
  (Which is not to attack the excellent work of the OpenBSD team, but comparing it to Windows is in this fashion is just asinine.)
4. Re:Well done, the OpenBSD team. by Richard_at_work · 2007-03-14 21:20 · Score: 4, Insightful
  
  The default install of OpenBSD includes (from memory, so this is not exhaustive) SSHd, bind, apache and sendmail, all of which are included in the term 'Only two remote holes in the default install' - those codebases are as rigourously audited as anything else.
5. Re:Well done, the OpenBSD team. by TheRaven64 · 2007-03-14 21:45 · Score: 4, Insightful
  
  The thing is, it doesn't matter. The OpenBSD folk treat pretty much every bug as a security hole. I heard one of them say this, which I think should be taken to heart by all software developers:
  The only difference between a bug and a security hole is the intelligence of the attacker. As such, the hole was patched when they thought it was just a DoS. All escalating it does is encourage admins not to actually apply the patches.
  
  --
  I am TheRaven on Soylent News
6. Re:Well done, the OpenBSD team. by Just+Some+Guy · 2007-03-15 01:52 · Score: 5, Insightful
  
  I heard a rumour that Microsoft did indeed look to the idea of emulating OpenBSD's security practices as a company.
  
  Then someone pointed out the respective revenues of OpenBSD vs Microsoft, and the whole idea just seemed to evaporate.
  
  My company makes far more than the OpenBSD team brings in, and yet we still respect them and try to emulate their practices. I'm not sure what kind of hubris it takes to dismiss someone's ideas just because you have more money.
  
  --
  Dewey, what part of this looks like authorities should be involved?
Re:Advisory Timeline by Secret+Rabbit · 2007-03-14 17:52 · Score: 3, Insightful

I think you're reading too much into things. It's FAR more likely that the OBSD team has become somewhat overconfidenct in there code. As such, since remote exploit wasn't shown and was unlikely, they dismissed that.

But, cover up? Yah right. Please, note that the OBSD team NEVER denied that a problem existed. They fixed it. It was only the wording that was in contest until remote execution was shown and they verified it.
They've earned a mulligan, I think by peacefinder · 2007-03-14 18:13 · Score: 3, Insightful

I'll spot them some skepticism or overconfidence. It's been proven again and again that they're right to think OpenBSD is a hard target, so it's understandable that they wanted to see proof before bumping their counter up.

As for a "cover up"... well, if such a thing happend I'd say they must really suck at coverups, since we all know about it. :-)

--
With reasonable men I will reason; with humane men I will plead; but to tyrants I will give no quarter. -- William Lloyd
Re:Advisory Timeline by jrockway · 2007-03-14 20:18 · Score: 3, Insightful

> Availability is a key facet of security. There's no fuckin' point having a "secure" system which you can't even use.

Sure there is. Think, for example, of a data warehouse containing social security numbers. Would you prefer that that system go down entirely, or that the contents of the database is exposed. A system that detects trouble and shuts itself down until someone fixes it sounds good to me.

Also, by your standards, a power failure is a security hole. That's just not true.

--
My other car is first.
Re:Advisory Timeline by TheRaven64 · 2007-03-14 21:59 · Score: 3, Insightful

it appears that the fix to 3.9 and 4.0 branches was delayed for an extra week until Core produced a working remote root exploit I think this makes sense, to be honest. If it's just a DoS, then I'd rather not put the code in my kernel until it's been well tested (I can remote-reboot my machine, if all else fails, and then apply the patch). If it's a remote code execution then it's pretty hard for any change to make it worse.
I really like OpenBSD, but I really miss having an analogue of FreeBSD's portaudit utility. Since the source data used by portaudit provides OpenBSD and FreeBSD vulnerability info, I wonder if anyone has tried porting it...

--
I am TheRaven on Soylent News
Forced release? by Just+Some+Guy · 2007-03-15 01:47 · Score: 4, Insightful

FTFA:

2007-02-21: Core sends draft advisory and proof of concept code that demonstrates remote kernel panic.
2007-02-26: OpenBSD team develops a fix and commits it to the HEAD branch of source tree.
[...]
2007-03-05: OpenBSD team notified of PoC availability.
2007-03-07: OpenBSD team commits fix to OpenBSD 4.0 and 3.9 source tree branches and releases a "reliability fix" notice on the project's website.
[...]
2007-03-13: Core releases this advisory.
Release Mode: FORCED RELEASE

Kudos to Core Security for finding an exploit in OpenBSD code. Seriously, that's impressive. However, it sounds like they're a little too pleased with themselves. "Forced release"? I guess that's technically true, in the sense that a feather exerts a gravitational force on the Earth.

In a nutshell, they reported a problem and OpenBSD fixed it. Then they demonstrated that it was a more serious problem, and OpenBSD backported the fix to the current releases and announced it on their website. After reading the whole timeline, I'm not sure what else they were supposed to have done so that Core wouldn't be "forced" to announce the vulnerability that OpenBSD publicized on their own site as a "security fix" three days earlier.

--
Dewey, what part of this looks like authorities should be involved?