Re: Multiple firewalls ruleset bypass through FTP. Again. (CERT VU#328867)

["R. DuFresne" <dufresne () sysinfo com>]

On Tue, 8 Oct 2002, Paul D. Robertson wrote:

> On Tue, 8 Oct 2002, Mikael Olsson wrote:
>
> > The above technique was cooked up by me, <mikael.olsson () clavister com>, 
> > and I would like to thank ICSA labs for taking the time to verify it 
> > against their certified products in spite of me having no hard evidence 
> > to support my theories.
>
> I'd personally like to thank Mikael for allowing ICSA Labs to work with 
> the vendors to get the products *fixed* and *tested* prior to this going 
> out.[1]
>   
> Mikael was incredibly patient, helpful and most of all interested in 
> fixes.  The reason that firewalls that were originally vulnerable are 
> fixed and at most require an update, instead of a panic attack is due to 
> the way this was reported and handled.  
>
> All the full-disclosure ranting in the world doesn't stop the fact that 
> we've got fixed products *before* we've got wild attack code.  This does 
> mean that you have to upgrade when your vendor says "time to upgrade," or 
> try to do rush upgrades when CERT advisories come out.  If you can't trust 
> your vendor though, you really ought to think about why you're using that 
> vendor's products in a security context.


In a better world I think many researchers would take a stance as Mikael,
or be willing to adopt the RFP policy in disclosure <it looks to have
been updated to a newer version recently?>.  Exploits prior to
warning/patches are certainly not a good thing<TM>.  Yet, one has too look
at vendors outside those that only produce security products on which
their reputations hinge in looking at the full disclosure issue.  I know
it's been tackled here and elsewhere alot, and quite a bit recently in
various formats.  But, when a major OS/hardware vendor threatens to use
the DCMA to go after a security consulting/research site for disclosing
issues they <the major vendor> have held under their belts for years, if
not months, then we have a totally different situation then that was faced
here.  It seems folks that produce security products and code might well
understand the consequences of not acknowledging potential risks to their
name and ventures when exploitable issues are found with their offerings,
and are willing to work with researchers in addressing those issues then
some of the larger vendors in the OS/hardware realms often are.  Getting
vendors to work with researchers in such instances would be a grand
thing<TM> as opposed to reckless threats of legal retribution after they
have been advised of the issues by the researcher<s> who discovered the
issues.  While times have changed in this realm with a number of vendors,
it has well been slow work with some in the industry.  Afterall, bugtraq
was founded with good reason, no mater their shifts of disclosure policies
as they have been grown and been acquired in the recent economic
understimulas.  I certainly feel that many researchers would take a more
reasonable approach to disclosure issues if they did not find vendors
constantly ignoring matters that have been disclosed to them with their
offerings, and when sitting for periods doing nothing to fix the issue,
then making threats to sue or otherwise damage the researchers for finally
disclosing the problems for others to mitigate on their own or pressure
their offending vendors to deal with the problems with their products.
Do not get me wrong here, I'm not a proponent of 0day code being released
hither and tither, but, I'm also wary of not knowing what my adversaries
might know, and feel that if at least one or more researchers know, as
well as the vendor, there are great chances that others might well know
what I've not had time to find on my own.  I know many here, as I myself
have observed, changes in disclosure policies of various researchers and
mailing lists over the years.  And I've seen alot of information hit those
venues of information sharing without the older tendency to *require* a
0day sploit to prove the point of the information disclosure.  Granted
there is not total compliance in this, there's alot of mistrust and lack of
patience and cooperation still permeating the IT world at large.  Afterall
the little guys all know the bigger fish are out to get em.  And we
certainly could use more Mikeal's in this world.

Thanks,


Ron DuFresne
-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior security consultant:  sysinfo.com
                        http://sysinfo.com

"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
                -- Johnny Hart

testing, only testing, and damn good at it too!



_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards