[Full-disclosure] Re: [SEC-1 LTD] RSA SecurID Web Agent Heap Overflow

From: Vin McLellan (vin_at_theworld.com)
Date: 05/07/05

  • Next message: Nicob: "[Full-disclosure] Ethereal <= 0.10.10 single UDP packet DoS" 
    Date: Sat, 07 May 2005 03:23:12 -0400
To: full-disclosure@lists.grok.org.uk, Bugtraq@securityfocus.comKevin

    Kevin quoted GaryO's vulnerability report and asked the obvious question: Huh?

    > > 29-02-2004 - Directly contacted RSA via all publc addresses,
    > > worked with another securty consultancy in attempt to contact
    > > RSA product security team.
    > > 04-2005 - RSA contacted via telephone

    Jumped off the page for me too. There was clearly a screw up somewhere if
    Gary couldn't get through to RSA, in the UK or the US. I suspect a couple
    of RSA senior managers are already climbing down through the ranks with
    blow-torches to make sure that nothing like this can happen again.

    I'm a consultant to RSA and I'll try to report back to the list on what
    changes are made.

    I would be very surprised if this incident does not it quickly lead RSA to
    revamp whatever procedures it has for handling such a report -- at the very
    least, publicly designate of a clear point of contact for external reports
    of security vulnerabilities in RSA products. I expect a new policy along
    the lines recently recommended by the Organization for Internet Safety.
    (See: <www.oisafety.com>.)

    [OIS, as regularly on this list probably know, is a consortium of
    vendors -- MS, Oracle, ISS, and Symantec (publisher of Bugtraq), among
    others -- and a few of the aggressive security consultancies (@stake,
    Foundstone, etc.) that regularly develop reports of security
    vulnerabilities. OIS came out with a very useful consensus.]

    >On the SEC-1 web site, they are listed as a "RSA SecurWorld Select
    >Partner", an honor they've held since at least 2002. Is RSA so
    >unresponsive to security flaw reports that they do not respond even to
    >their "select partners"?

    RSA distributors and resellers have their own priority channels by which
    they are able to report to RSA on problems with a product. I don't know
    what happened here, but I suspect Mr. O'leary-Steele chose not to use them,
    for his own reasons. That should not have made a material difference, of
    course. Even anonymous emails about security issues are routed to RSA Tech
    Support staff for review.

    With its roots in the crypto culture -- where open critical review is a
    valued part of the process by which a technology is vetted and tested -- I
    think RSA has always been petty responsive to external critiques if RSA
    judged them substantive. YMMV.

    I expect there will be a quick internal review and then RSA do what it must
    to make sure that this sort of "disconnect" can't happen again. I'm only a
    consultant to RSA, but it is clear to me that the sort of time-lag reported
    here is unacceptable. RSA is full of people, top to bottom, who would
    immediately acknowledge that.

    I think, frankly, that RSA just outgrew an informal assumption that all or
    most product issues would be reported up through customer tech support,
    sales, or partner channels. Someone at RSA should have recognized,
    earlier, that this is now a silly assumption and done something about it.
    After this incident, I expect someone -- very quickly -- now will.

    >I just now noticed Gary Oleary-Steele's Full-Disclosure+Bugtraq posts
    >of 18-Mar-2005 looking for a RSA security contact. I wish I would
    >have noticed them at the time, but I filter both lists so I only see
    >messages containing certain keywords (such as "SecurID"), and thus I
    >missed reading that post.

      I'm embarrassed to admit that I somehow missed them too. Sorry, Gary. Mea
    Culpa. Thank you for your persistence.

    Suerte,
                _Vin

    Vin McLellan + The Privacy Guild + <vin@theworld.com>
    22 Beacon St., Chelsea, MA 02150

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    Hosted and sponsored by Secunia - http://secunia.com/

  • Next message: Nicob: "[Full-disclosure] Ethereal <= 0.10.10 single UDP packet DoS"

    Relevant Pages

    • [Full-disclosure] RSA XSS Vulnerabilities
      ... RSA "Speaking of Security" Blog ... vulnerabilities has been discovered in their Blog "Speaking of Security";) ...
      (Full-Disclosure)
    • Re: prime
      ... > Not _former_ poster. ... 'tween occasional and regular poster. ... I did not know he ever worked at RSA. ... I once read a report written by him, where he compared the computational resources required to break RSA or ECC. ...
      (sci.math)
    • Re: putty-current: an obvious bug in sshrsa.c
      ... >July this year and mentions nothing to do with RSA. ... stumped over this bug while doing a five-minute check before releasing ... page explains a lot about how to make a good bug report and what to ... move it to personal mail, though i'm not sure i will be replied. ...
      (comp.security.ssh)
    • Re: LanSuite 2003 - Multiple Vulnerabilities
      ... I have found all the vulnerabilities you found plus, ... Of 21 security flaws I found in there product only ... the problems you reported applied in LanSuite ... > this vulnerability report regarding LanSuite software. ...
      (Bugtraq)
    • Re: The Register: OpenVMS among most-secure of operating systems
      ... > security advisories do not get reliably reported to CERT, ... You're trying to convince us that because you claim CERT, etc. report ... of VMS security problems discovered must be large (or, ... details of all security vulnerabilities published, ...
      (comp.os.vms)