Re: More on the Bash Security Vulnerability: CVE-2014-6271 & CVE-2014-7169

Wed, 01 Oct 2014 08:08:10 -0700 

W dniu 2014-10-01 o 16:50, David L. Craig pisze:

On 14Oct01:1627+0200, R.S. wrote:

HMC is good example of such device. You don't install
anything on that, you don't connect it to the Internet
just like PC, the connection to IBM support system
is quite different thing.  While it's good to fix any
vulnerability if possible, I wouldn't worry about bash
in HMC.

The HMC is not a toaster.  It is a sophisticated black
box with both Internet connectivity and some not well
understood access to the customers' CECs.  I do not
think it a good example at all.  Hopefully the secrets
of that platform will never be compromised or the platform
subverted, unless that has already come to pass--who
would know?  Certainly not the customers.



I never claimed it is a toaster, but it is not so black, the Internet 
connectivity is very well described in separate manual (*) and it is 
connected to the SEs, not CPC itself. The connection is also documented 
(not as detailed to be honest). It is also abvious the HMC is not 
connected to "general LAN" it is isolated subnetwork. Important: we are 
not talking about any possible vulnerability, we are talking about THIS 
vulnerability. While it would be nice to have no errors and 
vulnerabilities, we are living in a world where software errors do 
happen and it's good to know how dangerous it can be for given scenario. 
IMHO in this case there is no need to worry.
What would be a scenario of attack? Note: "I don't know" is not an 
option. The same answer apply to all remaining bugs we don't know YET, 
but in this case connection to the host's SE cannot be used as attack 
method.



(*) Note: Original of HMC sub-thread was related to DS8000 HMC, but now 
deviated to mainframe HMC. I also write here about mainframe HMC.



My €0.02

Regards

--
Radoslaw Skorupka
Lodz, Poland






---
Tre tej wiadomoci moe zawiera informacje prawnie chronione Banku 
przeznaczone wycznie do uytku subowego adresata. Odbiorc moe by jedynie 
jej adresat z wyczeniem dostpu osób trzecich. Jeeli nie jeste adresatem 
niniejszej wiadomoci lub pracownikiem upowanionym do jej przekazania 
adresatowi, informujemy, e jej rozpowszechnianie, kopiowanie, rozprowadzanie 
lub inne dziaanie o podobnym charakterze jest prawnie zabronione i moe by 
karalne. Jeeli otrzymae t wiadomo omykowo, prosimy niezwocznie 
zawiadomi nadawc wysyajc odpowied oraz trwale usun t wiadomo 
wczajc w to wszelkie jej kopie wydrukowane lub zapisane na dysku.

This e-mail may contain legally privileged information of the Bank and is 
intended solely for business use of the addressee. This e-mail may only be 
received by the addressee and may not be disclosed to any third parties. If you 
are not the intended addressee of this e-mail or the employee authorized to 
forward it to the addressee, be advised that any dissemination, copying, 
distribution or any other similar activity is legally prohibited and may be 
punishable. If you received this e-mail by mistake please advise the sender 
immediately by using the reply facility in your e-mail software and delete 
permanently this e-mail including any copies of it either printed or saved to 
hard drive.


mBank S.A. z siedzib w Warszawie, ul. Senatorska 18, 00-950 Warszawa, www.mBank.pl, e-mail: kont...@mbank.pl 
Sd Rejonowy dla m. st. Warszawy XII Wydzia Gospodarczy Krajowego Rejestru Sdowego, nr rejestru przedsibiorców KRS 0000025237, NIP: 526-021-50-88. Wedug stanu na dzie 01.01.2014 r. kapita zakadowy mBanku S.A. (w caoci wpacony) wynosi 168.696.052 zote.



----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN























					Reply via email to