Tony Chimienti <tony_chimienti@securecomputing.com> writes: > Clarification on some misrepresentation in the > original posting: > > 1) The SafeWord Agent for SSH was not an SSH server, it in fact was > only made up of modified files that were needed for a software build > process. This build process would then create the necessary binary > files to allow a SSH server to communicate with a SafeWord > authentication server. Unfortunately those modified files were based > on SSH.com's ssh v1.2.27 which is possibly known to cause a > vulnerability on SSH servers. I'm not sure what this paragraph means, but the product available for download consisted of a compressed tar archive, swagent4ssh.tar.Z. This archive contained documentation, libraries for using the SWEC authentication API (compiled for Linux, Solaris, AIX and HP-UX), a complete distribution of the sources for SSH 1.2.27, with modifications made to two files, configure and auth-passwd.c, and an installation script that automatically built and installed the SSH server. This product *is* an SSH server, in any reasonable interpretation. Moreover, this SSH server *is* vulnerable to a remote root exploit. Please refer to CERT Incident Note IN-2001-12; http://www.cert.org/incident_notes/IN-2001-12.html [I'm skipping the rest of Secure Computing's posting, since it consists primarily of word mincing.] I present this incident as a case study of how *not* to handle a vulnerability in one's product. Please observe the following points: - Although this particular vulnerability in SSH 1.2.27 (and others) was published to Bugtraq on Feb 8, 2001, Secure Computing has seemingly been unaware of it until now. One would think that a security software company would keep track of vulnerabilities in any software they use in their products. - Upon being notified of the vulnerability, instead of responding with alacrity, Secure Computing took no discernible action while time dragged on. Not until the vulnerability in their product was published on Bugtraq did they stop its distribution. - It took additional brow-beating in private correspondence before Secure Computing issued a public advisory, and when it now appears, it is extremely defensive, downplays the vulnerability, and accuses the original reporter of misrepresentation of facts. This is not the way to establish a relation of trust with one's customers. -- Leif Nixon Network Security Ericsson SoftLab AB ---------------------------------------------------------- E-mail: nixon@softlab.ericsson.se Phone: +46 13 23 57 61 ----------------------------------------------------------
