Firewall Wizards mailing list archives
Re: Open Source vs. Closed Source [ was Re: [fw-wiz] FirewallThroughput ]
From: Chris Calabrese <christopher_calabrese () merck com>
Date: Fri, 15 Sep 2000 08:58:17 -0400
Heh, how about this one... Vendor A has traditionally shipped the BSD 4.2 FTP daemon. Around six months ago, Vendor A issued an FTP daemon patch for the XX version of their OS. Reading the patch description, it became obvious that it was a patch for some very serious security problems that had been revealed some months previous in WU-FTPD, thus revealing that they had switched to this FTP daemon in their new OS release. Meanwhile, not only did Vendor A allow their systems to remain unpatched for several months after patches were available for people who knew they had WU-FTPD (including when bundled in other commercial OS distributions), but Vendor A has not announced patches for another serious WU-FTPD hole that has appeared in the interim. I can't reveal who Vendor A is, but I don't think it would be difficult for someone to figure out if they look at old Bugtraq postings (where Vendor A was chastised at the time for not having previously revealed that they were shipping WU-FTPD and for taking so long to release the patch). How does this relate to firewalls, you ask (this is the firewalls list, after all)? Well, I'm also aware of another vendor who sells a very widely used firewall product that also happens to use WU-FTPD as the basis of their FTP proxy, and also also without telling anyone. Now, being a stripped-down proxy, this code is not subject to all the same security issues of a full blown WU-FTPD implementation. However, I became suspicious one day when a routine scan of our firewall using a popular commercial network vulnerability scanner crashed the FTP proxy on the firewall. That we had just downloaded a new version of the scanner so that it would catch a newly discovered WU-FTPD vulnerability was a big tip-off as to the origin of our problem. When I presented the issue to the vendor, they claimed that this was their proprietary FTP proxy and therefore this couldn't possibly be related to the recently discovered WU-FTP problem. When I pressed them on it, however, they eventually caved and admitted basing their proxy on a very old version of the WU-FTPD code back when they were first starting out. They soon released a patch for the particular version of the product we were using, and also rolled the patch into the new version they had in development, but other versions still do not have a patch available for them, and the vendor never advertised the issue, thus leading to a false sense of security for users of those other versions. I can't reveal this vendor either, but there aren't that many vendors of proxy firewalls. Thinking about it some more, I'm guessing that Marcus can tell you that Gauntlet didn't work this way when he was at TIS (and remember I said it's always been this way in this product). You also know it's not one of the newer firewalls on the market, since they don't have enough "other versions." That leaves only about two possibilities left in the proxy firewall space. If you've dealt with the vendors I'm thinking of, you'll have no trouble figuring out which one would do such a thing. Now, if somebody would like to discover these problems on their own, I suggest you give the vendors maybe about three weeks notice before you post to Bugtraq. If they balk, let them know that you know they have known about these problems for several months.
Attachment:
christopher_calabrese.vcf
Description: Card for Chris Calabrese
Current thread:
- Re: Open Source vs. Closed Source [ was Re: [fw-wiz] FirewallThroughput ] Chris Calabrese (Sep 16)
- <Possible follow-ups>
- Re: Open Source vs. Closed Source [ was Re: [fw-wiz] FirewallThroughput ] Chris Calabrese (Sep 16)
- Re: Open Source vs. Closed Source [ was Re: [fw-wiz] FirewallThroughput ] Chris Calabrese (Sep 18)