Re: Very probable remote root vulnerability in cfengine

[Scott Gifford <sgifford () TIR COM>]

Shaun Clowes <shaun () securereality com au> writes:

> > As you can set %s%s%s freely, and it's passed almost without checking
> > as-is to syslog(), it shouldn't be too difficult for Joe
> > Hacker to exploit this.
> >
> > EXPLOIT:
> > --------
> >
> > Not my business; I'm sure someone will produce one sooner or later though.
>
>
> As a member of the 'security community' I can say that I certainly
> appreciate each and every security vulnerability that is discovered
> and reported by everyone.  If security one day becomes a priority
> and people are aware of the issues, the Internet will be a much
> safer place.
>
> Having said that, this particular advisory is an example of
> something I find extrememly frustrating. This bug in particular is
> almost certainly remotely exploitable, I'd agree with this, however,
> I don't think that makes life very fair for the average systems
> administrator. If she reads the advisory, she is told it should be
> vulnerable not that it is. This could lead her to having to upgrade
> a service, possibly on a critical machine for no reason if the
> problem is found to be non exploitable.

Just so that nobody thinks that this is the opinion of the entire
list, I disagree with this pretty violently.

I would much rather see a report of a potential or likely bug well
before an exploit is written, so that the software is fixed and I'm
upgraded *before* script kiddies have started taking advantage of this
exploit.

I think that the idea that if there is no exploit you shouldn't bother
to upgrade is flawed; if there is a bug that looks like there's even a
small chance it could be exploited, it should be fixed and systems
upgraded as soon as possible; otherwise, there's a good chance that
somebody with more time on their hands than the original discoverer
will find the problem, and figure out an exploit.

The solution to users seeing so many advisories that they start to
ignore them is to use systems that are easy to upgrade, so that a user
doesn't have to much care whether a bug is likely to be exploitable;
they just upgrade their software as a matter of routine when
security-related upgrades are available.

Just my 2 cents,

-----ScottG.