Re: SafeWord Agent for SSH (secure shell) vulnerability

[Leif Nixon <nixon () softlab ericsson se>]

Tony Chimienti <tony_chimienti () securecomputing com> writes:

> Clarification on some misrepresentation in the 
> original posting:
>
> 1) The SafeWord Agent for SSH was not an SSH server, it in fact was
> only made up of modified files that were needed for a software build
> process. This build process would then create the necessary binary
> files to allow a SSH server to communicate with a SafeWord
> authentication server. Unfortunately those modified files were based
> on SSH.com's ssh v1.2.27 which is possibly known to cause a
> vulnerability on SSH servers.

I'm not sure what this paragraph means, but the product available for
download consisted of a compressed tar archive, swagent4ssh.tar.Z.
This archive contained documentation, libraries for using the SWEC
authentication API (compiled for Linux, Solaris, AIX and HP-UX), a
complete distribution of the sources for SSH 1.2.27, with
modifications made to two files, configure and auth-passwd.c, and an
installation script that automatically built and installed the SSH
server.

This product *is* an SSH server, in any reasonable interpretation.

Moreover, this SSH server *is* vulnerable to a remote root exploit. Please
refer to CERT Incident Note IN-2001-12;

  http://www.cert.org/incident_notes/IN-2001-12.html


[I'm skipping the rest of Secure Computing's posting, since it consists
primarily of word mincing.]


I present this incident as a case study of how *not* to handle
a vulnerability in one's product. Please observe the following points:

- Although this particular vulnerability in SSH 1.2.27 (and others)
  was published to Bugtraq on Feb 8, 2001, Secure Computing has
  seemingly been unaware of it until now. One would think that a
  security software company would keep track of vulnerabilities in any
  software they use in their products.

- Upon being notified of the vulnerability, instead of responding with
  alacrity, Secure Computing took no discernible action while time
  dragged on. Not until the vulnerability in their product was
  published on Bugtraq did they stop its distribution.

- It took additional brow-beating in private correspondence before
  Secure Computing issued a public advisory, and when it now appears,
  it is extremely defensive, downplays the vulnerability, and accuses
  the original reporter of misrepresentation of facts.

This is not the way to establish a relation of trust with one's
customers.
  
-- 
Leif Nixon      Network Security       Ericsson SoftLab AB
----------------------------------------------------------
E-mail: nixon () softlab ericsson se   Phone: +46 13 23 57 61
----------------------------------------------------------