Dailydave mailing list archives
Re: Yet another fascinating advisory!
From: Rodney Thayer <rodney () canola-jones com>
Date: Wed, 11 Feb 2004 11:41:20 -0800
At 11:44 AM 2/11/2004 -0500, The Dave wrote:
For those of you who wern't at my BlackHat talk in Seattle, one of the themes was that the management and monitoring software and other enterprise-level software that people install is rarely looked at, and highly vulnerable.
One of the debates we have when testing security gear for magazine reviews is "how much should you look at the management interface". Vendors have this quaint delusion that nobody will ever attack them through "the management LAN". So, for example, they don't consider it a problem that Dave's cute little SSL attack toy is quite good at knocking over the control processes in their IDS. Other vendors think it's perfectly reasonable to take a stately 3-6 months to patch their Linux kernels, even though their devices as shipped allow shell access into the box. A third vendor (not a major one, this time) found it quite shocking that I would complain they were running a 2 year old version of OpenSSH. I think that in addition to testing your "gold build" you should make sure that the same standards you apply to your external and internal networks should be applied to management networks. In other words, don't be a wuss and tell me I can't run Canvas on the management backside of my Checkpoint box, because I just might find something... _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://www.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Yet another fascinating advisory! Dave Aitel (Feb 11)
- Re: Yet another fascinating advisory! Rodney Thayer (Feb 11)
- Re: Yet another fascinating advisory! ken_i_m (Feb 11)
- Re: Yet another fascinating advisory! Rodney Thayer (Feb 11)
- Re: Yet another fascinating advisory! ken_i_m (Feb 11)
- Re: Yet another fascinating advisory! Daniele Muscetta (Feb 26)
- Re: Yet another fascinating advisory! Rodney Thayer (Feb 11)