[asterisk-dev] Re: Security Through Obscurity

Tilghman Lesher tilghman at mail.jeffandtilghman.com
Sun Mar 4 23:33:40 MST 2007 

On Sunday 04 March 2007, Anthony Lamantia wrote:
> >In this case, we took the action to document that it was fixed and told
> >users they should upgrade (and why), because I don't believe this
> >particular issue was reported by an auditing company
>
> it would have been nice to know a problem existed in chan_sip (on the
> website, without having to ask or searching the commits list) and great if
> a advisory was posted to one  or all of the popular security mailing lists.

It would have been nice if someone gave users a week to upgrade their
software prior to releasing the exploit code, instead of releasing the exploit
over the weekend, after the new release had only been posted Friday afternoon.
There's a reason why there is an established protocol for exploitable bugs:
to keep customers from being in danger from script kiddies.

> >If you want someone to post an analysis
> >of what the problem was and show you how to exploit it, contact them
> >(they seem to be interested in getting paid for fixing people's systems
> >anyway <G>).
>
> when i was scanning seclists.org earlier this morning I saw that there was
> a exploit tool for this vulnerability published and available .. and i
> don't think anyone here is making money off the security problems in the
> code.. if anything the inverse is true losing money in lost customers who
> can be effected by this sort of problem.

A responsible person would have informed the vendor (in this case, Digium) via
private email, permitted a fix to be generated in a reasonable amount of time
(in this case, the fix was generated the same day as the report), and then
permitted customers several business days to accomplish an upgrade prior to
releasing news of the problem, let alone exploit code for the problem.

When I first heard of this fix, I assumed that protocol had been followed,
which, in fact, it had not.  It is extremely irresponsible of the individuals
behind this not to follow established protocol for new security issues.

The ONLY reason to release exploit code prior to vendor fix is to demonstrate
the vulnerability when the vendor is nonresponsive.  That was not true in this
case, as the fix was generated the same day as the vulnerability was made
known to Digium.  Even a fix made the same week would have been acceptable
in terms of response time.  In fact, established protocol allows 4-6 weeks for
vendor repair before even starting to consider the vendor nonresponsive.

Resources:
http://cve.mitre.org/board/archives/2000-09/msg00035.html
http://www.oisafety.org/guidelines/secresp.html
http://www.cert.org/vuls/

-- 
Tilghman

More information about the asterisk-dev mailing list