I was searching on the Yahoo! stock boards, and found this message about NFR. Has
anyone heard about this security flaw in NFR?
-Nicky
---
http://messages.yahoo.com/bbs?action=m&board=8729209&tid=issx&mid=702&sid=8729209
702 A Correction to one of MJR's Points
04/05/99, 11:54AM EDT, tptacek
Hi. I used to work for Network Associates, where
I discovered the recently publicized security
flaw in NFR and brought it to MJR's attention. I'd
like to clarify what happened with this.
The problem my team found in NFR allowed an arbitrary
person on the Internet to gain complete, remote,
supervisory access to a machine running certain versions
of NFR in it's default configuration. It's
probably not possible to overstate the
severity of this problem. NFR is currently the only network
IDS known to have had such a problem.
It was some time after we notified MJR of the problem that
a patch was published. The controversy that ensued
between my team and MJR is probably not important to
discuss here, but suffice it to say, there certainly
was not a "24 hour turnaround" on this problem for
the overwhelming vast majority of people
who downloaded vulnerable versions of this software.
ISS RealSecure has never been known to have similar problem.
Neither, to my knowledge, was any other "competing" I-D
system. To some extent this may be due to the published
source code in NFR.
NFR is not an "open source" package. It is a commercial package
that happens to allow users to see the source code. The
actual definition of "open source" software, as readers of this
board have heard it used, is located at
http://www.opensource.org.
It is hard to feel sorry for MJR about being
harangued by anonymous posters on this board; not
because he deserves it, but because EVERY ONE of his
competitors deals with exactly the same behavior
(<cough><cough>fastnet101<cough>) and doesn't
see the need to have representatives of the company address
the cranks.
I don't think it's embarassing to let consumers know that
products they are using to enhance the security of their
network can actually be leveraged against them. It takes
signficant amounts of effort to find such problems, and I
think it's honorable to disclose them to vendors, wait
for patches, and post unbiased advisories about them
as soon as is reasonably possible. This is what my
team did. It's sad that MJR has fallen into the
"slighted vendor" behavior patterns (see
http://www.pobox.com/~tqbf/bug-reports.html).
Hopefully, pointing out that NFR currently has the worst
public operational security track record of any network
intrusion detection system will motivate him to disclose
holes in ISS, Cisco, NAI, and Axent software, so that the
goals of full-disclosure security can be further realized.
Get your free E-mail from http://www.fresnomail.com/
Visit The Fresno Bee at http://www.fresnobee.com/
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
