Dailydave mailing list archives
Re: NISCC's culmination of sitting on an ISAKMP vulnerability for 4 months
From: Dave Aitel <dave () immunitysec com>
Date: Mon, 14 Nov 2005 09:43:16 -0500
I've always wondered why vendors don't all have their own fuzzers. It would seem part of a "good development methodology" to have one, right? I'm sure there's something about it in "SCRUM" or "AGILE" whatever the development methodology is that most companies use these days.
PROTOS finds some weird stuff, but deep down it's a blind fuzzer. You guys, and the Cisco IPSEC team, should be able to write a much better fuzzer - you know the protocol inside and out, and, in the case of Cisco, they have a lot of money to throw at the problem!
Just a thought. I think it's interesting how throwing a ton of money at security DOES work. Microsoft had multiple specialized fuzzers for IIS 6 - as part of a strategy that included fuzzing, code review, and design analysis. There haven't been any remote IIS 6 overflows yet, as far as I know. That doesn't mean there's aren't any, but developing fuzzers to look at your software stack before it goes out is good value for the money, imo. Waiting for PROTOS to write one is probably not a realistic strategy.
And SPIKE and PeachFuzz are free, after all, as long as your corporate guidelines don't prohibit you from using GPL software the way MS's does. :>
-dave Paul Wouters wrote:
NISCC's achievement this time: - do not release vulnerability information to open source vendors prior to release. Just tell them they cannot have the information for 4 months. - try to postpone another 3 months, but getting their hands forced by CERT-FI - do not list vendors impacted in their announcement. - do not request a CVE. - give the public absolutely no information on the vulnerability and whether they are impacted or need to urgently upgrade or not. I sincerilly hope NISCC's infrastructure somewhere, somehow, depends on a Linux or BSD machine that will be DOSed by this, and their manager will soon become their PM. See how it impacted us: http://lists.openswan.org/pipermail/announce/2005-November/000008.html Morons, Paul
Current thread:
- NISCC's culmination of sitting on an ISAKMP vulnerability for 4 months Paul Wouters (Nov 14)
- Re: NISCC's culmination of sitting on an ISAKMP vulnerability for 4 months Dave Aitel (Nov 14)
- Re: NISCC's culmination of sitting on an ISAKMP vulnerability for 4 months Paul Wouters (Nov 14)
- Re: NISCC's culmination of sitting on an ISAKMP vulnerability for 4 months Florian Weimer (Nov 14)
- Re: NISCC's culmination of sitting on an ISAKMP vulnerability for 4 months Adam Shostack (Nov 14)
- Re: NISCC's culmination of sitting on an ISAKMP vulnerability for 4 months Florian Weimer (Nov 14)
- Re: NISCC's culmination of sitting on an ISAKMP vulnerability for 4 months Dave Aitel (Nov 14)
- Re: NISCC's culmination of sitting on an ISAKMP vulnerability for 4 months Paul Wouters (Nov 14)
- Re: NISCC's culmination of sitting on an ISAKMP vulnerability for 4 months Adam Shostack (Nov 14)