OpenSSH - is X-Force really behind this?

[Michal Zalewski <lcamtuf () ghettot org>]

Now that the hype is over, I have a question. Would anyone happen to know
what's the origin of the OpenSSH buffer allocation stuff? The reason I'm
asking is a claim made by X-Force at ISS:

http://xforce.iss.net/xforce/alerts/id/144

  "ISS X-Force has discovered a flaw in the OpenSSH server developed by
  the OpenBSD Project."

There are several problems with this claim, though:

  - Neither CERT, CVE, nor any of the vendors (including OpenSSH) ever
    credited them for the discovery. They seem to be happy with it, and
    I don't see their advisory on BUGTRAQ.

  - They also made the following claim in the data they have posted on
    their site the same day it went public:

    "There are unconfirmed rumors that there is an exploit in the
    wild for this vulnerability."

    ...why would there be any exploits in the wild if they have
    indeed discovered the flaw on their own? Though I'm trying
    really hard, I can't read "we discovered a flaw" as "we have
    overheard about a flaw" or "we are aware of a flaw".

I have, of course, tried to contact them, and submitted a question a week
ago. No reply. While I'm not a great fan of corporate bashing, it all
sounds a bit too fishy.

It seems to me this is a lame attempt to mislead current and
prospective customers. The second part also seems to be a nice piece of
FUD, granted most researchers agree the vulnerability is pretty much
impossible to exploit on anything but some lesser systems (and even then,
only a DoS). I can be wrong, of course, and there might be something wrong
with the rest of the world.

Any thoughts?

-- 
------------------------- bash$ :(){ :|:&};: --
 Michal Zalewski * [http://lcamtuf.coredump.cx]
    Did you know that clones never use mirrors?
--------------------------- 2003-09-22 11:42 --

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html