From: coley at linus.mitre.org (Steven M. Christey)
Subject: R7-0009: Vulnerabilities in SSH2 .Implementations

Suite testing like Rapid7 has just released is basically a new
paradigm, and very few people seem to be doing it despite its
unprecedented power.  Since the scale of it is much larger than
"normal" testing, it will take a while to iron out the kinks :)

Even the PROTOS reports (SNMP or LDAP) do not explicitly say which
vendor was vulnerable to which individual test case.  Many vendors
don't say (or even know) which bug was fixed and where (because, for
example, the security response teams may only have what the developers
have told them).  In addition, you can have lots of interactions going
on between the test cases; as a simple example, NULL dereferences may
show up as the result of a long input, which could cause someone to
interpret the data as a buffer overflow because a crash happened.  See
my report on FTP client directory traversal for another example of
unusual interactions, in which test cases sometimes had to be
separated.

>You list his implementation as vulnerable in an advisory that talks
>about those types of vulnerabilities, and later you quote the vendor
>saying it is not an issue, with no commentary whatsoever. He is
>confused. It takes time to find out.

I suspect that very few information consumers actually examine and
understand the details at this level.  Otherwise we would see
questions/comments like this a lot more frequently.  This lack of
clarity seems to happen a lot when advisories describe multiple
vulnerabilities.  A "matrix" of bugs-versus-versions might help, but
as I said, this type of detail is not always available.

- Steve

Powered by blists - more mailing lists