[23322] in bugtraq
Re: SafeWord Agent for SSH (secure shell) vulnerability
daemon@ATHENA.MIT.EDU (Leif Nixon)
Thu Nov 29 20:47:59 2001
To: bugtraq@securityfocus.com
From: Leif Nixon <nixon@softlab.ericsson.se>
Date: 29 Nov 2001 12:04:48 +0100
In-Reply-To: <20011129013213.18373.qmail@mail.securityfocus.com>
Message-ID: <cth667trg6n.fsf@freddie.softlab.se>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Tony Chimienti <tony_chimienti@securecomputing.com> writes:
> Clarification on some misrepresentation in the
> original posting:
>
> 1) The SafeWord Agent for SSH was not an SSH server, it in fact was
> only made up of modified files that were needed for a software build
> process. This build process would then create the necessary binary
> files to allow a SSH server to communicate with a SafeWord
> authentication server. Unfortunately those modified files were based
> on SSH.com's ssh v1.2.27 which is possibly known to cause a
> vulnerability on SSH servers.
I'm not sure what this paragraph means, but the product available for
download consisted of a compressed tar archive, swagent4ssh.tar.Z.
This archive contained documentation, libraries for using the SWEC
authentication API (compiled for Linux, Solaris, AIX and HP-UX), a
complete distribution of the sources for SSH 1.2.27, with
modifications made to two files, configure and auth-passwd.c, and an
installation script that automatically built and installed the SSH
server.
This product *is* an SSH server, in any reasonable interpretation.
Moreover, this SSH server *is* vulnerable to a remote root exploit. Please
refer to CERT Incident Note IN-2001-12;
http://www.cert.org/incident_notes/IN-2001-12.html
[I'm skipping the rest of Secure Computing's posting, since it consists
primarily of word mincing.]
I present this incident as a case study of how *not* to handle
a vulnerability in one's product. Please observe the following points:
- Although this particular vulnerability in SSH 1.2.27 (and others)
was published to Bugtraq on Feb 8, 2001, Secure Computing has
seemingly been unaware of it until now. One would think that a
security software company would keep track of vulnerabilities in any
software they use in their products.
- Upon being notified of the vulnerability, instead of responding with
alacrity, Secure Computing took no discernible action while time
dragged on. Not until the vulnerability in their product was
published on Bugtraq did they stop its distribution.
- It took additional brow-beating in private correspondence before
Secure Computing issued a public advisory, and when it now appears,
it is extremely defensive, downplays the vulnerability, and accuses
the original reporter of misrepresentation of facts.
This is not the way to establish a relation of trust with one's
customers.
--
Leif Nixon Network Security Ericsson SoftLab AB
----------------------------------------------------------
E-mail: nixon@softlab.ericsson.se Phone: +46 13 23 57 61
----------------------------------------------------------
