lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
From: lcamtuf at ghettot.org (Michal Zalewski)
Subject: OpenSSH - is X-Force really behind this?

Now that the hype is over, I have a question. Would anyone happen to know
what's the origin of the OpenSSH buffer allocation stuff? The reason I'm
asking is a claim made by X-Force at ISS:

http://xforce.iss.net/xforce/alerts/id/144

  "ISS X-Force has discovered a flaw in the OpenSSH server developed by
  the OpenBSD Project."

There are several problems with this claim, though:

  - Neither CERT, CVE, nor any of the vendors (including OpenSSH) ever
    credited them for the discovery. They seem to be happy with it, and
    I don't see their advisory on BUGTRAQ.

  - They also made the following claim in the data they have posted on
    their site the same day it went public:

    "There are unconfirmed rumors that there is an exploit in the
    wild for this vulnerability."

    ...why would there be any exploits in the wild if they have
    indeed discovered the flaw on their own? Though I'm trying
    really hard, I can't read "we discovered a flaw" as "we have
    overheard about a flaw" or "we are aware of a flaw".

I have, of course, tried to contact them, and submitted a question a week
ago. No reply. While I'm not a great fan of corporate bashing, it all
sounds a bit too fishy.

It seems to me this is a lame attempt to mislead current and
prospective customers. The second part also seems to be a nice piece of
FUD, granted most researchers agree the vulnerability is pretty much
impossible to exploit on anything but some lesser systems (and even then,
only a DoS). I can be wrong, of course, and there might be something wrong
with the rest of the world.

Any thoughts?

-- 
------------------------- bash$ :(){ :|:&};: --
 Michal Zalewski * [http://lcamtuf.coredump.cx]
    Did you know that clones never use mirrors?
--------------------------- 2003-09-22 11:42 --

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ