lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
From: stevenr at mastek.com (stevenr@...tek.com)
Subject: Vendor casual towards vulnerability found in 
    product

Hi Harlan

Thanks for the reply, it was an interesting read. 

>> Perhaps.  What is the real risk of destroying
>> configuration files, if backups are being made?
They restore from backup, someone erases them again, they restore, someone erases again, they restore...

>>  Also, think carefully about this situation.  Are you
>>  angry (you did type "grrrr" at one point) b/c the
>>  vendor isn't responding in the manner that *you* think
>>  they should?
I would like to say that yes, I am none too happy with the way the vendor has reacted to this. And I shall explain why. I am responsible for few of the production sites exposed and vulnerable to this flaw since they run this product. And there is nothing I can do to fix them since the flaw is core to the product. If this is known to anyone outside of the vendors team, my servers are roadkill. And this thought doesnt really give me a warm feeling inside.

Having said this I am not gonna go stark raving mad or do anything irresponsible. I have already notified the admins of the public sites I came across (I just googled and found these, there may be many more) and have mailed them other possible loopholes which I have already closed on my boxes, but not the current one, since I dont know how to close it myself. Some of the admins didnt have the tech knowhow so I sent them the fixes. As Gadi, Chris and morning_wood have mentioned, I have given prior information to the vendor and have even asked permission for this to be published, which was granted (to my surprise) I had even gone to the extent of asking for a security expert on the vendors side to be involved in the mails, since I realised that the chap I talked to (an expert in that component) didnt know too much about security ("Whats this Bugtraq and Full Disclosure that you keep mentioning ??" was his reply). well no one from security was made available. I gave up after that.

>>  Uhm..."mailto:full-disclosure@...ts.netsys.com"??? 
>>  (did I miss something obvious in your question?)
I just wanted to know if there is a procedure to this, Got the answer from the other folks. thanks guys...

>>  You don't want to come across as someone who's upset
>>  b/c you found your first vulnerability and you don't
>>  think the vendor is taking it as seriously as you
>>  think they should.
Lets put it this way...I am upset *because* I found a vulnerability :):)


Thanks all for your comments, I think I know what to do now.

Regards
Steven Rebello



-----Original Message-----
From: Harlan Carvey [mailto:keydet89@...oo.com]
Sent: Wednesday, May 26, 2004 7:33 PM
To: full-disclosure@...ts.netsys.com
Cc: Steven Rebello
Subject: Re: [Full-Disclosure] Vendor casual towards vulnerability found
in product


Steven,

One bit of advice...to quote Morpheus, "welcome to the
desert of the real."
 
> 1. Would an exploit like this be said to be severe? 

Perhaps.  What is the real risk of destroying
configuration files, if backups are being made?
 
> 2. Is the vendor right in their approach to this
> issue?

They seem to think so.  

> 3. How do I make public the vulnerability? (Vendor
> has given permission for the same) 

Uhm..."mailto:full-disclosure@...ts.netsys.com"??? 
(did I miss something obvious in your question?)

> 4. Ok, I'll rather ask... *should* I make public
> details of this
> vulnerability? (Since I know of sites using this app
> server, and they may be
> taken down if the exploit goes out)

Well, since you know of the sites, maybe you could
start by going to those folks and explaining the issue
to them...what happens, what's the effect, and how to
protect against.  If the vendor isn't dealing w/ it in
(in your opinion) a timely manner, or isn't dealing w/
it in the way you think they should, then releasing it
to the public (since, as you say, they've given their
permission) might be a way to go.  Or maybe first
releasing it to the folks using the product, and
telling them that on such-and-such a date you're going
to release it to the general public...that might be
another option.

One trap you have to avoid falling into is coming
across sounding like a nut.  If you decide to publish
this vulnerability to the general public, understand
that putting things like "shout outs to my peeps" and
"f*ck you's" in the posting will very likely reduce
your overall credibility.

Also, think carefully about this situation.  Are you
angry (you did type "grrrr" at one point) b/c the
vendor isn't responding in the manner that *you* think
they should?  After all, according to your own post,
they've been aware of the vulnerability for a while,
and haven't dealt with it to your
satisfaction...which, unless you've been under a rock
for the past 5 yrs, is nothing new.  Maybe the vendor
knows about it, but hasn't taken what *you* would
consider to be adequate action b/c they haven't
received any (or that many) reports from customers
about this situation.  When you're dealing w/ a
company like the one you're talking about, what they
focus on at any given time is driven by economics.

You don't want to come across as someone who's upset
b/c you found your first vulnerability and you don't
think the vendor is taking it as seriously as you
think they should.  



MASTEK
"Making a valuable difference"
Mastek in NASSCOM's 'India Top 20' Software Service Exporters List.
In the US, we're called MAJESCO

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Opinions expressed in this e-mail are those of the individual and not that of Mastek Limited, unless specifically indicated to that effect. Mastek Limited does not accept any responsibility or liability for it. This e-mail and attachments (if any) transmitted with it are confidential and/or privileged and solely for the use of the intended person or entity to which it is addressed. Any review, re-transmission, dissemination or other use of or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. This e-mail and its attachments have been scanned for the presence of computer viruses. It is the responsibility of the recipient to run the virus check on e-mails and attachments before opening them. If you have received this e-mail in error, kindly delete this e-mail from all computers.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ