Full Disclosure mailing list archives
Re: R7-0009: Vulnerabilities in SSH2 Implementations
From: "Steven M. Christey" <coley () linus mitre org>
Date: Mon, 16 Dec 2002 17:14:03 -0500 (EST)
Suite testing like Rapid7 has just released is basically a new paradigm, and very few people seem to be doing it despite its unprecedented power. Since the scale of it is much larger than "normal" testing, it will take a while to iron out the kinks :) Even the PROTOS reports (SNMP or LDAP) do not explicitly say which vendor was vulnerable to which individual test case. Many vendors don't say (or even know) which bug was fixed and where (because, for example, the security response teams may only have what the developers have told them). In addition, you can have lots of interactions going on between the test cases; as a simple example, NULL dereferences may show up as the result of a long input, which could cause someone to interpret the data as a buffer overflow because a crash happened. See my report on FTP client directory traversal for another example of unusual interactions, in which test cases sometimes had to be separated.
You list his implementation as vulnerable in an advisory that talks about those types of vulnerabilities, and later you quote the vendor saying it is not an issue, with no commentary whatsoever. He is confused. It takes time to find out.
I suspect that very few information consumers actually examine and understand the details at this level. Otherwise we would see questions/comments like this a lot more frequently. This lack of clarity seems to happen a lot when advisories describe multiple vulnerabilities. A "matrix" of bugs-versus-versions might help, but as I said, this type of detail is not always available. - Steve _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: R7-0009: Vulnerabilities in SSH2 Implementations Steven M. Christey (Dec 16)