So it would seem there are deficiencies on both sides. If the simple sshd_config fix was a known issue then it should have been included in his original warning. My personal preference would have been to download the version with privilege separation, because it is a superior way to deal with things both present and future; however, given that this isn't widely tested I could definitely see the usefulness of the "quick fix".
What the hell is wrong with the people at ISS? This
is the second "incident" in as many weeks. The message from the Theo at OpenSSH and other Linux Vendors said the
info AND the realfix would be released early next week. This
certainly seemed like a very responsible method of alerting people. Give
everyone a week to upgrade to 3.3 and enable an option that could help mitigate
any potential damage and then release a fixed version of the
program and the full details. This gives large production houses enough
time to get the new version/config through change control and even gives admins
who don't read bugtraq lists time enough to hear about throughanother
channel. Everything was working out pretty
well and ISS has to go and screw up a pretty good plan.
Does ISS have a problem with queued up advisories
and techs with itchy trigger fingers? Does Time some how run differently in
Atlanta? I guess another lame self-justification will be forthcoming from ISS,
but there is no excuse for this. What about the little people? Were
you in such a hurry to get your X-Press Update advertisement out that you don't
even consider the ultimate end-user? Is it so easy to forget that not
everyone is in organizations that discover or releases 0-day info amongst
themselves? Most administrators don't read bugtraq, and those thatdo received a polite, clear note from
Theo:
Monday, June 24, 2002 11:22 PM
There is an upcoming OpenSSH vulnerability that we're
working on with ISS. Details will be published early next week. ....etc
etc etc
Now ISS has up'd the ante and released it
justa day and a half later. 1 and 1/2 days isn't a
lot to verify that a production environment will not be adversely effected
byANY new/changed element. So it would seem that "working with
ISS on this issue"is synonymous"we are waiting to get
blindsided". This also leads into another
interesting issue. Why did ISS's reckless announcement take minutes to get
through bugtraq and the OpenSSH's initial, responsible warning take 24+ hours to
process? I can plainly see that Theo's letter was sent on Monday but for
some reason only gets here today. I know that SMTP mail is slow..but I
don't thinkmy server isTHAT slow. Fortunately, it showed up on
the vuln-watch list as well and we were able to help spread the word.
> X-Force is aware of active exploit
development forthis vulnerability.
I don't know if I really even believe
you on this certainlyyour recent actions are not that of a company that
seeks to garner trust. Of course the minute anyone suggests there is a
problem with product XYZ, thousands of bored people are going to start poking
around "actively" trying to develop an exploit! But blind testing from
scratch would certainly have taken longer than the proposed "quiet week" before
publishing details.So, lets suppose it was a more informed testing.
So who knew enough about this
to let it out? ISS and the OpenSSH dev team. One is made up of hard
working developers who love aprogram enough give their
time away to make a really great product. The other is composed of people
who routinely socialize with the underground "active exploit development"
community. In my opinion, at least one side would have absolutelyno
motive leak their information. So I propose: A: Your analysis of the
exploit development process was faulty B: there was no active development for an
exploit, and you released the info for your own good.C. Someone's
teamis leaking information.
In any event, there no need for any
furtherunderground exploit "R&D"; everyone now has the diff blueprints
to get directly to the end goal. Granted, there are people out there
intelligent enough totake the time find the issue and to code an exploit
without this knowledge. But these type of people wouldn't likely release
it to the general populace, instead it would be used for select targets.
Targets that would most likely already have security teams in placeand be
up on warnings and patches. Instead we have a patch diffs in the hands of
everybody and now lower skilled programmers can code the exploit. These
people will spread the exploit far and wide simply for fame; only this time the
targets will be everyone.
No one wins with this route you have chosen
ISS. You and your X-force team used to be a respected group in my
book. In the past they have provided valuable information to the security
community and helped companies across the world to better secure themselves, but
the handling of this and the Apache vulnerabilities are shining examples of how
NOT to do things. So much for ISS
being a "Trusted" center of knowledge. Trust and honor are coins you
can only spend once.
Nelson Bunker, CISSP
VP of Security
Critical Watch
The opinions expressed in this advisory and program
are my own and not of any company.
The big print giveth, the little print taketh
away
Slashdot Mirror
So it would seem there are deficiencies on both sides. If the simple sshd_config fix was a known issue then it should have been included in his original warning. My personal preference would have been to download the version with privilege separation, because it is a superior way to deal with things both present and future; however, given that this isn't widely tested I could definitely see the usefulness of the "quick fix".
Monday, June 24, 2002 11:22 PM
There is an upcoming OpenSSH vulnerability that we're working on with ISS.
Details will be published early next week.
....etc etc etc
Now ISS has up'd the ante and released it justa day and a half later. 1 and 1/2 days isn't a lot to verify that a production environment will not be adversely effected byANY new/changed element. So it would seem that "working with ISS on this issue"is synonymous"we are waiting to get blindsided". This also leads into another interesting issue. Why did ISS's reckless announcement take minutes to get through bugtraq and the OpenSSH's initial, responsible warning take 24+ hours to process? I can plainly see that Theo's letter was sent on Monday but for some reason only gets here today. I know that SMTP mail is slow..but I don't thinkmy server isTHAT slow. Fortunately, it showed up on the vuln-watch list as well and we were able to help spread the word.
> X-Force is aware of active exploit development forthis vulnerability.
I don't know if I really even believe you on this certainlyyour recent actions are not that of a company that seeks to garner trust. Of course the minute anyone suggests there is a problem with product XYZ, thousands of bored people are going to start poking around "actively" trying to develop an exploit! But blind testing from scratch would certainly have taken longer than the proposed "quiet week" before publishing details.So, lets suppose it was a more informed testing. So who knew enough about this to let it out? ISS and the OpenSSH dev team. One is made up of hard working developers who love aprogram enough give their time away to make a really great product. The other is composed of people who routinely socialize with the underground "active exploit development" community. In my opinion, at least one side would have absolutelyno motive leak their information. So I propose: A: Your analysis of the exploit development process was faulty B: there was no active development for an exploit, and you released the info for your own good.C. Someone's teamis leaking information.
In any event, there no need for any furtherunderground exploit "R&D"; everyone now has the diff blueprints to get directly to the end goal. Granted, there are people out there intelligent enough totake the time find the issue and to code an exploit without this knowledge. But these type of people wouldn't likely release it to the general populace, instead it would be used for select targets. Targets that would most likely already have security teams in placeand be up on warnings and patches. Instead we have a patch diffs in the hands of everybody and now lower skilled programmers can code the exploit. These people will spread the exploit far and wide simply for fame; only this time the targets will be everyone.
No one wins with this route you have chosen ISS. You and your X-force team used to be a respected group in my book. In the past they have provided valuable information to the security community and helped companies across the world to better secure themselves, but the handling of this and the Apache vulnerabilities are shining examples of how NOT to do things. So much for ISS being a "Trusted" center of knowledge. Trust and honor are coins you can only spend once.
Nelson Bunker, CISSP VP of Security Critical Watch The opinions expressed in this advisory and program are my own and not of any company. The big print giveth, the little print taketh away