CyberGuard and their desired retraction (was Re:MSIE src&name property disclosure)

[security curmudgeon <jericho () attrition org>]

On the topic of CyberGuard, here is some additional information regarding
their desire for retractions and deletions. There is no additional
vulnerability information but this may be of interest on the responsible
disclosure front. There is also some information as to *why* CyberGuard
has a strong desire to have the information retracted:

: >> Don't know; Internet law is still very unclear in so many areas.
:  I found a shitty security issue in CyberGuard Firewall/Proxy some time
: ago; they were pretty upset about it.  Went to the top as far as I
: understand it, to Paul Henry.
:  In any case, they asked me to issue a retraction statement saying the
: security issue was false.  I _did_ get the feeling the lawyers would
: come out of the woodwork but I ignored them and they finally went away.
: I'd say it was a pretty close shave.

CyberGuard later contacted Secunia, SecurityTracker, OSVDB, SecurityFocus
(BID) and likely ISS. Several of the vulnerability databases talked with
each other about this. Carsten Eiram and Thomas Kristensen of Secunia
performed some followup dialogue and eventually got CyberGuard to ack that
it was "an issue". CyberGuard claimed that while it was an issue, it had
no impact and therefore should not be in their database.

: CyberGuard firewalls have zero vulnerabilities. Security Tracker agrees
: to remove erroneous 'vulnerability' message posting.

Stuart Moore of Security Tracker also had an email thread with CyberGuard
over all of this, but it didn't play out quite like they claim. From
correspondance between Stuart and myself:

  After consideration (but with no testing of our own, as we don't have
  access to the product), we concluded that there was no significant
  security impact from the ability to execute scripting code in the
  context of the proxy. [..] So, we modified our alert to say that we
  would delete the alert on the basis that it was not a genuine
  *cross-site* scripting issue.

  Regrettably, Cyberguard then issued a press release saying
  "SecurityTracker agrees that there is no vulnerability" or something
  similar.

When Derek Cheung of CyberGuard contacted OSVDB, he was initially very
firm and the tone of the mail was a bit hostile. After talking with other
VDBs and looking at all of the original information, OSVDB determined we
would not delete the entry (OSVDB 3132), nor flag it as a myth/fake entry.
We did add a technical note that clarified the extent of the
vulnerability, and how it was not a standard XSS attack.

Also of note, CyberGuard's response to the original issue:
http://www.osvdb.org/ref/03/03132-vendor-response.pdf

: CyberGuard make decent firewalls; the manner in which they manage their
: response to security vulnerbilities is poor.

Months after the whole saga of this vulnerability, Jake Kouns of OSVDB
discovered why it was such an issue to them most likely.

http://www.cyberguard.com/resources/ads/CyberGuard_uk_zero_vulnerabilities.pdf
http://www.cyberguard.com/news_room/recent_ads.cfm

Also on page 59 of Information Security Magazine (08/04 issue i think)
contained an advertisement for CyberGuard. The heading was "How do you
measure ROI?", halfway down it says "Discover the power of zero
vulnerability security" and lists several firewall vendors in a chart,
along with how many vulnerability entries could be found in BID, X-Force,
CVE, CERT and CIAC. For CyberGuard, predictably, it listed '0'.

So having a CyberGuard vulnerability in the databases made this
advertisement untrue. I can understand they would want 0 listed, every
security vendor would want that. However, their agressivement pursuit of
removing it from all of the databases backfired a bit. As it stands, there
are entries all over:

BID 9245 - deleted
CVE - none
ISS 14034 - CyberGuard invalid domain cross-site scripting
Secunia 10472 - CyberGuard Error Page Cross-Site Scripting Vulnerability
SecurityTracker 1008526 - CyberGuard Firewall Proxy Error Page Input ..
OSVDB 3132 - CyberGuard Firewall/Proxy Error Page Input Validation Weakness

Also amusing, this prompted me to do a 10 minute search through past
security mail list archives and I found material that will likely lead to
several other CyberGuard vulnerability entries, shattering the '0
Vulnerability' record a bit more.




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html