Vulnerability Development mailing list archives
Announce: Spaning Tree Algorithm and Protocols Familiy weakness & holes.
From: Olli Artemjev <olli () metaltelecom org ru>
Date: Tue, 12 Mar 2002 09:23:12 +0300
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Announce:
Spaning Tree Algorithm and Protocols Familiy weakness & holes.
by Oleg Artemjev
and Vladislav Myasnyankin
The last text & matherials of the project & this announcement may be
found at http://olli.digger.org.ru/STP/. Currently only a magazine
article & draft "contents" of entire project are avaliable.
Below is a slightly changed & reformatted text dump of an announcement.
- --------------------------------------DUMP------------------------------------
Announce:
Spaning Tree Algorithm and Protocols Familiy weakness & holes
by Oleg Artemjev
and Vladislav Myasnyankin
The Spaning Tree Algorithm and thus - all Spaning Tree Protocols
supported by lage variety of hardware vendors [lots of them provide
Spaning Tree Support on their switches (commutators) & routers]
contain many serious security vulnerabilities.Brief description of these
vulnerabilities was published in Russian magazine "LAN" (LAN, #1 2002,
more info about the magazine could be obtained from
http://www.osp.ru/lan/about/).
According publication conditions we can publish full matherials of our
project two months later after magazine issue. Since the paper is made
in Russian it will first arrive in Russian & only then, later, we'll
translate it into English (do you want to help us,huh?). This
announcement may be incompleet, if some differences are conflicting -
the Russian version is a right source. Also note - after we'll translate
the text to English it'll 1st arrive in a paper magazine. The reason is
simple - we prefer to take some feedback from our research work. If
you're a pubblisher (non US only! [ see LICENSE ]) - fill free to
contact us (then remove "NOSPAM" before sending - it's simple antispam
protection) - we're looking for an English-speaking paper magazine to
publish this information before it'll be avaliable for the Internet. We
already notified some vendors (Cisco, Avaya) about these
vulnerabilities, but an answer was alike: "Unless this gives money we
won't make investments". Well, since we're interested in high level of
security in switches & routes we use, we have to publish our
investigations. Because thus we 'll make some pressure on hardware
vendors to implement real security in their devices.
As a complain against trends to inhibit publications of security
vulnerabilitties in software (these tendencies are widely known to the
public as a DCMA law in U$ & judicial prosecution agains Sklyarov &
Elkomsoft,also there), the announced materials will be published under
following licence:
- ------------------license text---------------------
License agreement.
This paper is an intellectual property of it's authors: Oleg Artemjev
and Vladislav Myasnyankin (hereinafter - writers). This paper may be
freely used for the links, but its content or its part cannot be
translated into foreign languages or included into any paper, book,
magazine, and other electronic or paper issues without prior WRITTEN
permissions of both writers. Moreover, in case of using materials of
this research or refer to it, according given license you must provide
complete information: full title, authorship and this license. You can
freely distribute this paper electronically, if, and only if, all of the
following conditions are met:
1) This license agreement and article are not modified, including its
PGP digital signature. Any reformatting of the text is prohibited.
2) The distribution does not contradict the given license.
Distribution of this paper in the countries with the legislation
containing limitations similar to American DCMA contradicts the given
license. Moreover, reading this paper by citizens of such a country
violates this license agreement and law both. Nevertheless,
distribution of any links to this document is not a violation of the
given license.
This paper is provided by the authors "as is" and any express or implied
warranties, including, but not limited to, the implied warranties of
merchantability and fitness for a particular purpose are disclaimed. In
no event shall the writers be liable for any direct, indirect,
incidental, special, exemplary, or consequential damages (including, but
not limited to, procurement of substitute goods or services; loss of
use, data, or profits; or business interruption).
Writers claim this article for educational purposes only.
You should not read this paper, if you disagree not to use it any other way.
The given license agreement is subject to change without warning in the consent
of both writers.
- ------------------license text---------------------
At this moment "LAN" magazine has published electronical version of
our article. Links are avaliable from Russian version of this
announce.
- --------------------------------------DUMP------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: mailto: <olli () digger org ru>
iD8DBQE8jXVqx3pSkmh5ZJoRAss5AKCNxk1y6cUDHOtFU4Fjy4E/LGd8oACfUH2z
fN8P65RPGe5rD72zK6wvTkI=
=W+48
-----END PGP SIGNATURE-----
--
Bye.Olli http://olli.digger.org.ru
MISiS Telecommunications ; CTO, Metaltelecom. phone: +7(095)955-0087
PGP fingerprints:
(expire _soon_,2.6.3i,1024) = F2 24 BE B9 FB 38 04 B0 ED 9C CC 42 21 DC 12 2C
(expire 2005-02-09,1.0.6,2048) = 154B 5A59 DF51 6602 F589 2314 C77A 5292 6879 649A
Attachment:
bugtraq-announce.txt.asc
Description:
Current thread:
- Announce: Spaning Tree Algorithm and Protocols Familiy weakness & holes. Olli Artemjev (Mar 12)