Network Computingwww.networkcomputing.com

Is OpenBSD a Little Too Open?

Posted by Jordan Wiens
March 29, 2007

Tags: Core Security Technologies, IPv6 packets, routed networks, subnet, threat, vulnerability, Client/Server Protection, Data Networking & Management, Data Protection, Networking and Telecom, OpenBSD, Other, Security and Privacy, Software and Web Development, Threats and Attacks, Vulnerability Assessment and Management

Channel: Other, Networking & Mgmt, Data Protection

For many years OpenBSD has claimed, "Only one remote hole in the default install--in more than 10 years!" That count has now jumped to two.

A vulnerability in the way many versions of OpenBSD handle IPv6 packets exposes them (at best) to compromise from their local subnet and (at worst) on IPv6 routed networks, remote compromise from any other IPv6 location. Even on an IPv4 network, the IPv6 interface is enabled by default and would be available on the local subnet, though this does mitigate the risk of the vulnerability somewhat.

Core Security Technologies found the vulnerability and worked with the OpenBSD team. But the vendor contact log included in the advisory hints that the OpenBSD team may be rusty in handling security events, or the usual "responsible disclosure" mechanism didn't function as well as designed. Not only did the OpenBSD folks initially deny the "vulnerability" status of the bug (believing it was only a remote denial of service), but it appears public disclosure of the vulnerability was uncoordinated.

That said, other OSs--and you know who you are--would kill for a security track record like OpenBSD's. --Jordan Wiens, jwiens@nwc.com

Related Reading

More data-networking-management Insights