lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <200212162214.RAA27831@linus.mitre.org>
From: coley at linus.mitre.org (Steven M. Christey)
Subject: R7-0009: Vulnerabilities in SSH2 .Implementations

Suite testing like Rapid7 has just released is basically a new
paradigm, and very few people seem to be doing it despite its
unprecedented power.  Since the scale of it is much larger than
"normal" testing, it will take a while to iron out the kinks :)

Even the PROTOS reports (SNMP or LDAP) do not explicitly say which
vendor was vulnerable to which individual test case.  Many vendors
don't say (or even know) which bug was fixed and where (because, for
example, the security response teams may only have what the developers
have told them).  In addition, you can have lots of interactions going
on between the test cases; as a simple example, NULL dereferences may
show up as the result of a long input, which could cause someone to
interpret the data as a buffer overflow because a crash happened.  See
my report on FTP client directory traversal for another example of
unusual interactions, in which test cases sometimes had to be
separated.

>You list his implementation as vulnerable in an advisory that talks
>about those types of vulnerabilities, and later you quote the vendor
>saying it is not an issue, with no commentary whatsoever. He is
>confused. It takes time to find out.

I suspect that very few information consumers actually examine and
understand the details at this level.  Otherwise we would see
questions/comments like this a lot more frequently.  This lack of
clarity seems to happen a lot when advisories describe multiple
vulnerabilities.  A "matrix" of bugs-versus-versions might help, but
as I said, this type of detail is not always available.

- Steve

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ