Re: Open Source vs. Closed Source [ was Re: [fw-wiz] FirewallThroughput ]

[Chris Calabrese <christopher_calabrese () merck com>]

Heh, how about this one...

Vendor A has traditionally shipped the BSD 4.2 FTP daemon.  Around six
months ago, Vendor A issued an FTP daemon patch for the XX version
of their OS.  Reading the patch description, it became obvious that
it was a patch for some very serious security problems that had been
revealed some months previous in WU-FTPD, thus revealing that
they had switched to this FTP daemon in their new OS release.

Meanwhile, not only did Vendor A allow their systems to remain
unpatched for several months after patches were available for
people who knew they had WU-FTPD (including when bundled
in other commercial OS distributions), but Vendor A has not
announced patches for another serious WU-FTPD hole that has
appeared in the interim.

I can't reveal who Vendor A is, but I don't think it would be difficult
for someone to figure out if they look at old Bugtraq postings (where
Vendor A was chastised at the time for not having previously revealed
that they were shipping WU-FTPD and for taking so long to release
the patch).

How does this relate to firewalls, you ask (this is the firewalls list, after
all)?
Well, I'm also aware of another vendor who sells a very widely used firewall
product that also happens to use WU-FTPD as the basis of their FTP proxy,
and also also without telling anyone.  Now, being a stripped-down proxy,
this code is not subject to all the same security issues of a full blown
WU-FTPD implementation.  However, I became suspicious one day
when a routine scan of our firewall using a popular commercial network
vulnerability scanner crashed the FTP proxy on the firewall.  That we had
just downloaded a new version of the scanner so that it would catch a
newly discovered WU-FTPD vulnerability was a big tip-off as to the
origin of our problem.  When I presented the issue to the vendor, they
claimed that this was their proprietary FTP proxy and therefore
this couldn't possibly be related to the recently discovered WU-FTP
problem.  When I pressed them on it, however, they eventually caved
and admitted basing their proxy on a very old version of the WU-FTPD
code back when they were first starting out.

They soon released a patch for the particular version of the product
we were using, and also rolled the patch into the new version they
had in development, but other versions still do not have a patch
available for them, and the vendor never advertised the issue, thus
leading to a false sense of security for users of those other versions.

I can't reveal this vendor either, but there aren't that many vendors of
proxy firewalls.  Thinking about it some more, I'm guessing that
Marcus can tell you that Gauntlet didn't work this way when he was
at TIS (and remember I said it's always been this way in this product).
You also know it's not one of the newer firewalls on the market, since
they don't have enough "other versions."  That leaves only about two
possibilities left in the proxy firewall space.  If you've dealt with the
vendors I'm thinking of, you'll have no trouble figuring out which
one would do such a thing.

Now, if somebody would like to discover these problems on their
own, I suggest you give the vendors maybe about three weeks notice
before you post to Bugtraq.  If they balk, let them know that you know
they have known about these problems for several months.

Attachment: christopher_calabrese.vcf
Description: Card for Chris Calabrese