Wednesday, March 14, 2007

OpenBSD Remote Code Execution Vuln

This advisory from Core Security came across my irssi window earlier today. Looks like a difficult, but possible remotely exploitable vulnerability in OpenBSD default installation.

I encourage you to read the time line, as it warmed my heart in a somewhat perverse way. Interesting to note that OpenBSD does not consider remote DoS attacks as vulnerabilities. From the advisory timeline:

"OpenBSD no longer uses the term "vulnerability" when referring to bugs that lead to a remote denial of service attack"

A quick glance at the OpenBSD site didn't find that documented anywhere, but I do find it somewhat surprising. What if I could send a malformed packet to any OpenBSD box and instantly trigger a kernel panic. That wouldn't be a vulnerability?


Exospaca said...

That would be a denial of service, which is not a vulnerability but a reliability issue.

matt said...

If someone slashes all of the tires on your car preventing you from being able to drive it would you say, "Gee, these tires have poor reliability" or would you file a police report?

A denial of service attack prevents the intended users of a resource the ability to use that resource. If a flaw exists in a piece of code that facilitates such an attack it is vulnerable. How can that flawed code not be considered a vulnerability?

David said...

The flaw here is that the community has somewhat arbitrary semantics. I tend to take the dictionary definition of a vulnerability to be something that can effect the standard CIA triad. A DOS definitely creates an availability issue, and for me, that's a vulnerability that effects your service.