Re: [BLACKLIST] [Full-disclosure] Solaris telnet vulnberability - how many on yournetwork?
On Thu, 15 Feb 2007, Joep Vesseur wrote:
> Gadi,
>
> > [...]
> > One note: although it could just as well be a bug, who says it was not a
> > backdoor in the early 90's?
> >
> > Also, I understand this does not work on older Solaris/SunOS systems
> > (anyone can verify?)
>
> I can. It is not present in anything before Solaris 10.
>
> > which adds to my personal interest in the
> > possibility. I refuse to believe someone is that funny/sad.
>
> Not sure what you mean here... You don't believe this is a (very
> unfortunate) accident?
>
> From where I stand (pretty close to the fire) this is pretty much
> what it looks like (an extended multi-file, multi-entrance-point
> change with unforseen and unnoticed interdependencies).
This needs to be further discussed, as your response here has been
awe-striking.
The remote possibility was raised, and for several reasons:
1. It just didn't seem to be possible such a vulnerability would exist,
yet it does.
2. It was a remote one (not raised by me, btw) which I wanted answers for
rather than let it die under the usual flames.
3. It was raised, we needed to discuss it.
Sun has been completely visible and did full-disclosure on the
vulnerability, how it got there, etc. I have to tip my hat to you and
thank you for your help with this.
I believe the entire industry should thank you, and follow your lead.
This is the first case where I have seen a vendor respond in such
fashion. It is to be commended yet again. You have proven what being open
with the community can achieve.
This is a serious F up on the side of Sun. Everyone makes mistakes
and incidents will happen no matter what. What matters here is how you
responded to the incident when it did happen.
Gadi.
>
> Joep
>