.

Security vulnerabilities and a vendor offer

<<

MrTuxracer

User avatar

Newbie
Newbie

Posts: 47

Joined: Fri Dec 30, 2011 4:25 am

Location: Germany

Post Sun Jul 22, 2012 7:04 am

Security vulnerabilities and a vendor offer

Hello community,

I'm currently in the following situation and need an advice for it:

I've found several security vulnerabilities in the whole product-line of a modem/router vendor. I've reported the vulnerabilities confidentially to the vendor. We got in contact, and they are currently working on updates for their products to be published - some updates are already out. In general I wait for the updates to be publically available before publishing
any information on the issues (responsible disclosure).

A few weeks ago the vendor called me and appreciated the way of dealing with the issues. Then they asked if I would agree with not publishing any information on these issues. Their problem: Most of their customers are not very technically experienced and since there isn't an automatic update-process, most of them just won't update to fix the security issues.
In return they would pay me an amount of money for my effort or sponsor a training like the OSCP.

What to do ? Take the money and shut up ? Give this story to the press ?

Thanks for your ideas!  :)
eCPPT, HP ASE (Networking), LPIC-1, OSCP, WCSP
http://www.rcesecurity.com
<<

RoleReversal

User avatar

Hero Member
Hero Member

Posts: 928

Joined: Fri Jan 04, 2008 8:54 am

Location: UK

Post Sun Jul 22, 2012 9:15 am

Re: Security vulnerabilities and a vendor offer

Interesting position to find yourself in, and in some ways I feel for the vendors position as well.

Its not unusual for security professionals to enter into NDA when dealing with a client, and in some cases the vendor can't be 'totally' responsible if users don't update their own systems (but imo it should provide default, auto update facility for a device which is essentially set and forget for most).

Ultimately, I'd say the decision is yours alone, with no real right or wrong answer. Training is expensive, and security practitioners deserve to be paid for their skills and effort. On the other hand it is likely (no offense intended) that other parties are either already aware of the weakness or will be in the future, however I'd also suggest that users that don't apply vendor supplied updates, probably arent reading through the infosec community looking for vulnerabilities in their network either.

If I was in your shoes? You've found a flaw, the vendor has resolved the issue. Hard work is done, time to get paid.

(and if this wasn't the ethical hacker network, I'd int out that coincidences happen, and it's not impossible for an unrelated third party to reverse a patch, identify the flaw fixed and release......)
<<

jjwinter

User avatar

Jr. Member
Jr. Member

Posts: 80

Joined: Mon Mar 05, 2012 10:33 pm

Post Sun Jul 22, 2012 9:41 am

Re: Security vulnerabilities and a vendor offer

I'd take their offer. It's not your product, and they are responsible for whatever happens.
<<

ziggy_567

User avatar

Sr. Member
Sr. Member

Posts: 378

Joined: Tue Dec 30, 2008 1:53 pm

Post Sun Jul 22, 2012 4:12 pm

Re: Security vulnerabilities and a vendor offer

They are working under the (probably misguided) assumption that you are the only person that knows about the vulnerability. The problem with their approach is that while a fix might be available, they are withholding important information from their clients about why they should patch!
--
Ziggy


eCPPT - GSEC - GCIH - GWAPT - GCUX - RHCE - SCSecA - Security+ - Network+
<<

unicityd

User avatar

Full Member
Full Member

Posts: 170

Joined: Wed Sep 03, 2008 5:33 pm

Post Sun Jul 22, 2012 6:12 pm

Re: Security vulnerabilities and a vendor offer

Take the offer; get paid for your time.
BS in IT, CISSP, MS in IS Management (in progress)
<<

RoleReversal

User avatar

Hero Member
Hero Member

Posts: 928

Joined: Fri Jan 04, 2008 8:54 am

Location: UK

Post Mon Jul 23, 2012 2:58 am

Re: Security vulnerabilities and a vendor offer

ziggy_567 wrote: The problem with their approach is that while a fix might be available, they are withholding important information from their clients about why they should patch!


Without more info, I'll come to the vendors defence on this one. Just because a PoC and detailed analysis isn't released doesn't mean end users (who probably wouldn't understand a PoC anyway) can't be provided with information sufficient to tell them why a patch is required.

Microsoft (et al.) security bulletins will detail the scope of the effective issue, but rarely provide enough technical information to allow a third party to replicate the issue with further debugging, analysis and reversing.

Do you wait or research every update to your own systems before applying? Or accept that the vendor is (supposedly) fixing an identified issue?
<<

ziggy_567

User avatar

Sr. Member
Sr. Member

Posts: 378

Joined: Tue Dec 30, 2008 1:53 pm

Post Mon Jul 23, 2012 9:59 am

Re: Security vulnerabilities and a vendor offer

Do you wait or research every update to your own systems before applying? Or accept that the vendor is (supposedly) fixing an identified issue?


No. I don't wait for the research to patch issues. But, when research is already done, I don't see a valid reason for suppressing it. Generally speaking, a lot of times it turns out worse for the vendor than to just be upfront with the PoC/research.

If there's enough market saturation of their product, the bad guys will be motivated to produce their own exploit. And by releasing a patch, they pretty much have what they need to do so. Taking the company's logic one step forward, if the company feels that their user base isn't technically proficient enough to patch (as the original poster stated) AND the patch might provide enough detail for an attacker to develop their own exploit, should they have even release the patch?

I don't know that this company is doing anything untoward, but by the way it's been presented so far, it sounds a lot like "hush" money.
--
Ziggy


eCPPT - GSEC - GCIH - GWAPT - GCUX - RHCE - SCSecA - Security+ - Network+
<<

unicityd

User avatar

Full Member
Full Member

Posts: 170

Joined: Wed Sep 03, 2008 5:33 pm

Post Mon Jul 23, 2012 2:03 pm

Re: Security vulnerabilities and a vendor offer

by the way it's been presented so far, it sounds a lot like "hush" money.


For years, security researchers have essentially worked for free by researching security issues and reporting them to vendors.  Many vendors now pay for vulnerabilities.  If they pay, they can dictate the terms of disclosure.

Third parties are also purchasing vulnerabilities and demanding an NDA.  Some just wish to report the vulnerability through their service, possibly after their product (IDS/IPS) can detect it.  Others (e.g. government agencies) purchase exploits against major products so they can use them offensively.

If the vendor will pay you for your time, take the money.  How they decide to report is up to them.
BS in IT, CISSP, MS in IS Management (in progress)
<<

Triban

User avatar

Hero Member
Hero Member

Posts: 620

Joined: Fri Feb 19, 2010 4:17 pm

Post Tue Jul 24, 2012 11:39 am

Re: Security vulnerabilities and a vendor offer

I'll side with accepting the payment.  Hell maybe offer them to put you on retainer.  But yes, time is money and I see nothing wrong with accepting it, but I would also ensure you are still allowed to continue testing.
Certs: GCWN
(@)Dewser
<<

MrTuxracer

User avatar

Newbie
Newbie

Posts: 47

Joined: Fri Dec 30, 2011 4:25 am

Location: Germany

Post Fri Jul 27, 2012 4:25 pm

Re: Security vulnerabilities and a vendor offer

Thanks for your answers guys.

If there's enough market saturation of their product, the bad guys will be motivated to produce their own exploit. And by releasing a patch, they pretty much have what they need to do so. Taking the company's logic one step forward, if the company feels that their user base isn't technically proficient enough to patch (as the original poster stated) AND the patch might provide enough detail for an attacker to develop their own exploit, should they have even release the patch?


And this is exactly the problem! Most of my found vulnerabilities might be easy to reproduce for an attacker, even if they only state the type of the vulnerability in their patch notes. So patching it silently might be the right way here. But the problem will still persist on the devices of the people who simply cannot update due to a missing technical understanding. If the devices would auto-update, this wouldn't probably be a problem, but this is not implemented for some reasons.

So the vendor doesn't like to see the vulnerability to be disclosed because of loosing reputation and of course to protect their customers in the obvious "security through obscurity" way.

@3xban:
I had a talk with the product manager again about the situation and he clearly stated that they appreciate all of my further findings too.

I finally agree with unicityd - if and how they report this issue to their customers is their descision/problem, so I decided to take their offer.

Regards.
eCPPT, HP ASE (Networking), LPIC-1, OSCP, WCSP
http://www.rcesecurity.com
<<

impelse

Hero Member
Hero Member

Posts: 585

Joined: Mon Feb 16, 2009 3:40 pm

Post Sat Jul 28, 2012 11:35 pm

Re: Security vulnerabilities and a vendor offer

I think you took a good decision accepting the offer.
CCNA, Security+, 70-290, 70-291
CCNA Security
Taking Hackingdojo training

Website: http://blog.thehost1.com/

Return to Other

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software