Re: Loopback and multi-homed routing flaw in TCP/IP stack.

[Adam Laurie <adam () ALGROUP CO UK>]

> In some mail from Woody, sie said:
> > Subject: Loopback and multi-homed routing flaw in TCP/IP stack.
> > Author: Woody <woody () thebunker net>
> >
> > We believe there to be a serious security flaw in the TCP/IP stack of
> > several Unix-like operating systems. Whilst being "known" behavior on
> > technical mailing lists, we feel that the implications of this
> > "feature" are unexpected. Furthermore, not all platforms behave in the
> > same way, which will obviously lead to invalid expectations.
> >
> > PLEASE NOTE: We have received a lot of replies to this advisory from
> >         developers who have missed the point. Before you reply, please
> >         read the advisory at least twice, to ensure you understand its
> >         implications, and scope.
>
> No, I think you should have listened to people before you posted this.
> You clearly didn't, on a number of different fronts, including that for
> Solaris.  Really, if you're going to post a security advisory and want
> to comment about Solaris you should at least go to the trouble of getting
> the Solaris8 source code, for a recent reference.

We have no interest in reviewing commercial operating systems. Specific
solaris versions were tested in a very basic fashion to see if they were
vulnerable out of box, as a checkpoint. The advisory specifically stated
that further investigation was advised. If you or anyone else wish to do
that investigation, or have already done so, and report your findings,
that can only be of benefit of the community.

> The localhost issue where remote hosts can connect to localhost addresses
> on other boxes is an issue, yes, but the other...no.
>
> Much has been said about the strong vs weak ES model here so I'll not
> debate that any further.  Suffice to say that it wasn't as unknown as
> you wanted to claim and people were happy with it.  As you've been made
> aware, it's been known as a bug in NetBSD since 1995.

We already knew it was known - that's why the opening paragraph says so.
However, things have moved on considerably since 1995 and there are now
thousands of new players in the unix hosting game, not all of whom have
the expert knowledge you have. Issues like this need to be revisited
from time to time, and prioritised in the light of the prevailing levels
of competence. We all know that experts can secure their systems in all
kinds of elegant and interesting ways, but the average unix administator
is now far from expert, and getting less so every day. We can either
leave them to the sharks/kiddies, or try and help them. We happen to
want to try and help them.

> The other part of your advisory is the argument that IP addresses on
> an interface should not be reachable, by default, through others because
> people bind things to particular interfaces for security reasons and
> that people would be surprised to find out it's not like that.  Well,
> any admin who's setup something like that and gone on to not test his
> configuration is being careless.  The expectation of implied filtering
> of packets is an illusion created by that person for themselves.  I've
> not read anywhere that the behaviour is documented to be such.  Your
> claim that this is wrong is just your opinion and typically security
> advisories are based on factual security flaws, not opinions.  The
> security problem here is in people not testing "security" they think
> they have put in place.

Actually it appears to be the opinion of the majority of the security
conscious community, which is why the problem is being addressed, and
since that's what matters I'm happy to let it rest here.

cheers,
Adam
--
Adam Laurie                   Tel: +44 (20) 8742 0755
A.L. Digital Ltd.             Fax: +44 (20) 8742 5995
Voysey House                  http://www.thebunker.net
Barley Mow Passage            http://www.aldigital.co.uk
London W4 4GB                 mailto:adam () algroup co uk
UNITED KINGDOM                PGP key on keyservers