lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <004901c3aecc$23934000$205ce680@bitchin> From: mfratto at nwc.com (Mike Fratto) Subject: Sidewinder G2 Thanks and a question or two > >Basically, version 4.1 failed to do actually do HTTP syntax checking > making > >the HTTP proxy a generic proxy in function. So all the HTTP protocol > >violation style attacks weren't blocked at all. Proved it using tools > off > >packetstorm. Told SCC about it and proved it to them as > well. Then they > >verified the problem and issued a patch some months later. > > > > This was VERY disturbing. Kind of makes Secure's claim look > pretty stupid. Tried it on any other boxes? Apparetntly > secure computing expected the web proxy to be in full use. > Fortunately, we are a small enough operation to do exactly that. I have tested this on subsequent versions and the problem has not resurface. It was a bug that was corrected. I have also tested the HTTP, FTP, SMTP, DNS, SQL*Net proxies for protocol violations, overlly long headers (configurable in the proxy settings to some extent), proprely handling dynamic protocls like ftp and SQL*Net and everything worked as advertised. There are, of course, limitations in the proxies and won't stop all attacks, but I am pretty confident that it will block attacks passing through the firewall that violate the protocol. >They seem very confident about > the integrity of their jails and told me I had nothing to > worry about even if a hacker broke into a root shell in one > of them. I am not convinced that this would be, to quote the > late great Douglas Addams, "mostly harmless". If you want to get a look at type-enforcement, grab a copy of SE linux http://www.nsa.gov/selinux/. Secure computing secos is the foundation of it.
Powered by blists - more mailing lists