Is OpenBSD a Little Too Open?

For many years OpenBSD has claimed, "Only one remote hole in the default install--in more than 10 years!" That count has now jumped to two.

A vulnerability in the way many versions of OpenBSD handle IPv6 packets exposes them (at best) to compromise from their local subnet and (at worst) on IPv6 routed networks, remote compromise from any other IPv6 location. Even on an IPv4 network, the IPv6 interface is enabled by default and would be available on the local subnet, though this does mitigate the risk of the vulnerability somewhat.

Core Security Technologies found the vulnerability and worked with the OpenBSD team. But the vendor contact log included in the advisory hints that the OpenBSD team may be rusty in handling security events, or the usual "responsible disclosure" mechanism didn't function as well as designed. Not only did the OpenBSD folks initially deny the "vulnerability" status of the bug (believing it was only a remote denial of service), but it appears public disclosure of the vulnerability was uncoordinated.

That said, other OSs--and you know who you are--would kill for a security track record like OpenBSD's. --Jordan Wiens, [email protected]